CVE-2022-36906
Description
A cross-site request forgery (CSRF) vulnerability in Jenkins OpenShift Deployer Plugin 1.2.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified username and password.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSRF in Jenkins OpenShift Deployer Plugin allows attackers to perform authenticated requests to attacker-specified URLs
Vulnerability
Overview
A cross-site request forgery (CSRF) vulnerability in the Jenkins OpenShift Deployer Plugin, versions 1.2.0 and earlier, permits an attacker to trick an authenticated Jenkins user into performing unintended actions (e.g., connecting to an attacker-controlled URL with attacker-specified credentials). The issue originates from the plugin's lack of CSRF protection on its form-based actions, allowing a malicious website to forge requests on behalf of the victim [1].
Exploitation
Context
An attacker can exploit this by crafting a malicious page that, when visited by a Jenkins administrator or user with appropriate permissions, submits a CSRF request to the plugin's endpoint. The request would cause Jenkins to connect to a remote URL (specified by the attacker) using a username and password also provided by the attacker. No authentication is bypassed: the attacker relies on the victim's existing session in Jenkins [1][2].
Impact
Successful exploitation could lead to various impacts depending on the attacker's objective. For example, an attacker could use this to exfiltrate credentials, escalate privileges, or perform other actions as the victim user within Jenkins. The specific impact is context-dependent, but the CSRF nature allows unauthorized operations under the victim's identity [1][3].
Mitigation
The vulnerability is fixed in OpenShift Deployer Plugin upgrade versions beyond 1.2.0. Jenkins released a security advisory on 2022-07-27 detailing the fix, and users are advised to update the plugin. No workarounds are documented; the only mitigation is applying the patched version [1][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:openshift-deployerMaven | <= 1.2.0 | — |
Affected products
3- Range: <=1.2.0
- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
5- github.com/advisories/GHSA-8528-c6m6-gppmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-36906ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/07/27/1ghsamailing-listx_refsource_MLISTWEB
- www.jenkins.io/security/advisory/2022-07-27/mitrex_refsource_CONFIRM
- www.jenkins.io/security/advisory/2022-07-27/ghsaWEB
News mentions
0No linked articles in our index yet.