CVE-2022-41249

Root

Cause

CVE-2022-41249 is a cross-site request forgery (CSRF) vulnerability in the Jenkins SCM HttpClient Plugin, affecting version 1.5 and earlier. The plugin fails to require a CSRF token or other form of confirmation when making HTTP connections, allowing an attacker to trick an authenticated Jenkins user into unknowingly sending a crafted request [1][3].

Exploitation

Prerequisites

An attacker must first obtain a valid credentials ID from Jenkins through a separate method (e.g., another vulnerability or information disclosure). With that ID, they can craft a malicious web page that, when visited by an authenticated Jenkins user with sufficient permissions, triggers the plugin to connect to an attacker-specified HTTP server using those stolen credentials [1][2]. No additional authentication is needed if the victim is already logged into Jenkins.

Impact

Upon exploitation, the attacker-controlled server receives the credentials (e.g., username/password, API tokens) that are stored in Jenkins and referenced by the provided ID. This allows credential exfiltration and can lead to further compromise of systems protected by those credentials [1][3].

Status

The vulnerability has been publicly disclosed, and as of the advisory date (2022-09-21), no patch was available for the SCM HttpClient Plugin. The advisory lists the plugin among those with unresolved security issues [1][2]. Users should consider disabling the plugin or restricting access to Jenkins until an update is released.