CVE-2022-41245

Vulnerability

Overview

CVE-2022-41245 is a cross-site request forgery (CSRF) vulnerability in the Jenkins Worksoft Execution Manager Plugin, affecting versions 10.0.3.503 and earlier. The plugin does not require a CSRF token or other validation for certain requests, allowing an attacker to trick an authenticated Jenkins user into performing unintended actions [1][3].

Exploitation

An attacker can exploit this CSRF by crafting a malicious link or page that, when visited by a Jenkins user with appropriate permissions, triggers a request to connect to an attacker-specified URL using attacker-specified credentials IDs. The credentials IDs must be obtained through another method (e.g., information disclosure or social engineering) [1]. The attack does not require authentication on the attacker's part but relies on the victim's active session.

Impact

Successful exploitation allows the attacker to capture credentials stored in Jenkins by making the plugin connect to an attacker-controlled server and transmit the credentials. This can lead to compromise of sensitive credentials used for builds, deployments, or other integrations [1][3].

Mitigation

The Jenkins Security Advisory 2022-09-21 recommends updating the Worksoft Execution Manager Plugin to a version that includes a fix. As of the advisory date, no patched version was listed, but users should monitor the plugin's update site or GitHub repository for a fixed release [1][2].