CVE-2022-36908

Vulnerability

A cross-site request forgery (CSRF) vulnerability exists in Jenkins OpenShift Deployer Plugin versions 1.2.0 and earlier. The plugin does not require a CSRF token or any other form of cross-site request forgery protection for its endpoints. This flaw allows an attacker to craft malicious requests that, if executed by an authenticated Jenkins user, can abuse the plugin's functionality. [1][3]

Exploitation

An attacker can exploit this vulnerability by tricking an authenticated Jenkins user into visiting a malicious page or clicking a crafted link. No further authentication is needed beyond the victim's existing session. The attacker can then instruct the plugin to check for the existence of an attacker-specified file path on the Jenkins controller's file system, effectively performing a file existence probe. Additionally, the attacker can trigger the upload of an SSH key file (e.g., the one configured in the plugin settings) from the Jenkins controller to an attacker-specified URL. [1][2][3]

Impact

Successful exploitation allows an attacker to map the Jenkins controller's filesystem (by confirming existence of targeted paths) and to exfiltrate the SSH private key used by the OpenShift Deployer Plugin. This SSH key could then be used to gain unauthorized access to connected OpenShift infrastructure, potentially leading to compromise of deployed applications and associated resources. [1][3]

Mitigation

The vulnerability affects OpenShift Deployer Plugin 1.2.0 and earlier. As of the advisory publication date (2022-07-27), no fixed version is listed for this plugin; the plugin may be considered end-of-life or unmaintained. Users are advised to assess their reliance on this plugin and consider disabling it or migrating to an alternative solution, as no patch is available. [1][2]