CVE-2022-41253

A cross-site request forgery (CSRF) vulnerability exists in the Jenkins CONS3RT Plugin version 1.0.0 and earlier [1]. The plugin does not require a confirmation token or other CSRF protection when performing actions that connect to external servers. This flaw allows an attacker to craft a malicious HTTP request that, when executed by an authenticated Jenkins user, will cause the plugin to connect to an attacker-specified HTTP server using attacker-chosen credentials IDs. The attacker must first obtain valid credential IDs through another method (e.g., viewing job configurations or log files) to complete the attack [2].

To exploit this vulnerability, an attacker must trick a Jenkins user with appropriate permissions into visiting a specially crafted web page or clicking a link. No additional authentication is required beyond the user's existing session. Because the Jenkins CONS3RT Plugin processes the request without validating its origin, the attacker can cause the victim's browser to send a CSRF request that triggers a connection from the Jenkins server to an attacker-controlled HTTP endpoint. The attacker then captures the credentials stored in Jenkins that are associated with the provided IDs [3].

Successful exploitation enables the attacker to exfiltrate sensitive credentials managed by Jenkins, such as API tokens, passwords, or certificates, by having the Jenkins server transmit them to an external server under the attacker's control. The impact is high because it directly compromises credential confidentiality, potentially leading to further lateral movement or privilege escalation within the environment.

As of publication, the Jenkins security team has not released a fix for the CONS3RT Plugin, and it remains unresolved. The plugin may be affected indefinitely, especially if it is no longer maintained [1][4]. Users are advised to disable or remove the plugin if possible, and ensure that Jenkins and its plugins are kept up to date to reduce exposure to known CSRF vulnerabilities.