CVE-2022-36916

CVE-2022-36916 is a cross-site request forgery (CSRF) vulnerability in the Jenkins Google Cloud Backup Plugin, affecting versions 0.6 and earlier [1]. The Jenkins Security Advisory for July 27, 2022, lists this issue alongside vulnerabilities in other plugins [1]. The root cause is that the plugin's endpoint for triggering manual backups does not require a CSRF token or validate the request origin, violating Jenkins' standard protection mechanisms [1].

An attacker can exploit this by inducing a logged-in Jenkins user with appropriate permissions to visit a malicious web page [1][2]. For example, the attacker could embed a crafted HTML form or image tag that automatically submits a request to the Jenkins server, which the victim's browser will execute with the victim's session credentials [1]. The only prerequisite is that the victim must have access to the Jenkins instance where the plugin is installed and configured [1].

Successful exploitation allows the attacker to trigger a backup of the Google Cloud storage data configured in the plugin without the victim's knowledge or consent [1][3]. This could lead to an unintended backup operation, potentially consuming resources or exposing backup processes, but does not allow data exfiltration or modification by itself [1].

The vulnerability is fixed in version 0.7 of the Google Cloud Backup Plugin, which was released as part of the July 27, 2022, security advisory [2]. Users are strongly advised to update the plugin to the latest available version [2]. There are no known workarounds; updating the plugin is the recommended mitigation [1][2].