CVE-2022-45393

A cross-site request forgery (CSRF) vulnerability exists in the Jenkins Delete log Plugin, affecting version 1.0 and earlier. The plugin does not implement any CSRF protection for its endpoint that deletes build logs, allowing an attacker to craft a malicious request that, when executed by an authenticated Jenkins user, deletes build logs without their knowledge [1].

To exploit this vulnerability, an attacker must trick a logged-in Jenkins user into visiting a malicious web page or clicking a crafted link. The user's browser then automatically sends the forged request to the Jenkins server, leveraging the user's session. No additional authentication is needed as the request is made in the context of the victim's session [2].

A successful exploit allows an attacker to delete build logs from Jenkins jobs. This can disrupt auditing, remove evidence of previous builds, or cause confusion in the CI/CD pipeline. The impact is limited to log deletion, but it can affect traceability and monitoring [1][2].

As of the advisory date (2022-11-15), no fix has been released for the Delete log Plugin. The plugin is likely unmaintained. Users are advised to either remove the plugin if not needed or implement a workaround such as restricting access via Jenkins' authorization mechanisms or proxying the Jenkins interface through a web application firewall [1].