CVE-2022-36920
Description
A CSRF vulnerability in Jenkins Coverity Plugin 1.11.4 and earlier allows attackers to use malicious URLs with attacker-specified credentials to capture stored credentials.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A CSRF vulnerability in Jenkins Coverity Plugin 1.11.4 and earlier allows attackers to use malicious URLs with attacker-specified credentials to capture stored credentials.
A cross-site request forgery (CSRF) vulnerability exists in the Jenkins Coverity Plugin, up to and including version 1.11.4. The issue allows an attacker to craft a malicious request that, when executed by an authenticated Jenkins user, causes the plugin to connect to an attacker-controlled URL using attacker-specified credentials IDs [1][2].
The attack requires that the attacker first obtain valid credentials IDs from the Jenkins instance through a separate vulnerability or method. Leveraging these IDs, the CSRF attack can be triggered without direct authentication, as the victim's browser automatically includes their session cookies [4].
Successfully exploiting this vulnerability enables the attacker to capture credentials stored in Jenkins by directing the plugin to send them to an external, attacker-controlled server. This results in the exposure of sensitive authentication tokens or secrets [2].
The Coverity Plugin is no longer maintained and was deprecated as of November 30, 2018, with official support ending June 30, 2019 [1]. Since no patch will be provided, users are advised to migrate to the Synopsys Coverity Jenkins Plugin and remove the deprecated plugin from their Jenkins installations [1][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:coverityMaven | <= 1.11.4 | — |
Affected products
2- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing CSRF protection in the Coverity Plugin allows an attacker to forge requests that connect to an attacker-specified URL using attacker-specified credentials IDs."
Attack vector
An attacker can craft a malicious web page or link that, when visited by an authenticated Jenkins user, triggers a cross-site request forgery (CSRF) attack [CWE-352]. The forged request causes the Coverity Plugin to connect to an attacker-specified URL using attacker-specified credentials IDs (obtained through another method), thereby capturing the stored Jenkins credentials [ref_id=1]. The attack requires no special network position beyond the ability to deliver the crafted request to a victim who has an active Jenkins session.
Affected code
The advisory does not specify exact file paths or function names. The vulnerability exists in the Coverity Plugin for Jenkins, versions 1.11.4 and earlier [ref_id=1]. The plugin's configuration and post-build action handlers that process connection settings and credential IDs lack CSRF validation.
What the fix does
The advisory indicates the plugin is no longer maintained and was deprecated as of 11/30/2018, with functionality migrated to the new Synopsys Coverity Jenkins Plugin [ref_id=1]. No patch for this CSRF vulnerability in the original Coverity Plugin is published. Users are advised to migrate to the replacement plugin to obtain proper CSRF protection.
Preconditions
- authThe victim must be authenticated to Jenkins.
- networkThe attacker must be able to deliver a crafted request (e.g., via a malicious web page, link, or email) to the victim.
- inputThe attacker must obtain valid credential IDs through another method (e.g., another vulnerability or information disclosure).
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-5x3f-7m52-9cgfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-36920ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/07/27/1ghsamailing-listx_refsource_MLISTWEB
- www.jenkins.io/security/advisory/2022-07-27/mitrex_refsource_CONFIRM
- www.jenkins.io/security/advisory/2022-07-27/ghsaWEB
News mentions
0No linked articles in our index yet.