CVE-2022-36911

Vulnerability

Description A cross-site request forgery (CSRF) vulnerability exists in the Jenkins Openstack Heat Plugin versions 1.5 and earlier. The plugin fails to properly validate and protect against cross-origin requests, allowing an attacker to perform actions on behalf of an authenticated Jenkins user without their consent. Specifically, the plugin does not include a CSRF token or other mechanism to verify the legitimacy of requests.

Exploitation

To exploit this vulnerability, an attacker would need to trick a Jenkins user with access to the plugin into clicking a malicious link or visiting a crafted web page. The affected endpoint does not require authentication beyond the user's existing session, so any action the user can perform in the plugin can be executed by the attacker. The attacker can specify an arbitrary URL, potentially leading to interactions with internal or external systems.

Impact

By exploiting this CSRF flaw, an attacker can force the Jenkins server to connect to an attacker-specified URL. This could be used to exfiltrate sensitive information, perform port scans of internal networks, or trigger actions on other systems accessible from the Jenkins server. The impact depends on the network position of the Jenkins instance and the privileges of the targeted user.

Mitigation

Jenkins has released a security advisory for this issue [1]. Users should update the Openstack Heat Plugin to the latest version as soon as it becomes available. No workarounds are mentioned in the advisory. The plugin's source code is available on GitHub [4] for those who wish to review the fix.