CVE-2022-34817

Vulnerability

Overview

The Jenkins Failed Job Deactivator Plugin, versions 1.2.1 and earlier, contains a cross-site request forgery (CSRF) vulnerability. This flaw permits an attacker to trick an authenticated Jenkins administrator into making an unintended request, which can disable any job on the Jenkins instance. The root cause is the lack of CSRF protection on the plugin's endpoints, allowing malicious HTTP requests to be forged [1][2].

Exploitation

Exploitation does not require direct authentication to the vulnerable plugin. Instead, an attacker must craft a malicious link or form that, when accessed by an authenticated Jenkins user (in a standard web browser), triggers a CSRF request. Since Jenkins uses session cookies for authentication, a successful attack depends on the victim having an active Jenkins session with sufficient privileges (typically Overall/Administer) to disable jobs [1].

Impact

Successful exploitation enables an attacker to deactivate any job within the Jenkins environment. This could lead to denial of service by preventing critical builds from running, or disrupt continuous integration/continuous delivery (CI/CD) pipelines. The plugin is specifically designed to manage orphaned jobs, but the CSRF vulnerability allows disabling any job, not just orphaned ones [2][3].

Mitigation

As of the Jenkins security advisory published June 30, 2022, no fix has been released for the Failed Job Deactivator Plugin. Administrators are advised to disable the plugin if it is not required, or restrict access to the Jenkins UI to trusted users only. The plugin repository indicates it is maintained, but no patched version has been provided [1][3].