CVE-2022-45398

The Jenkins Cluster Statistics Plugin versions 0.4.6 and earlier are vulnerable to a cross-site request forgery (CSRF) attack because they do not properly validate requests. This flaw enables an attacker to delete recorded cluster statistics without proper authorization [1][2].

To exploit this vulnerability, an attacker must trick a Jenkins user with sufficient permissions into clicking a malicious link or visiting a crafted webpage while authenticated to the Jenkins instance. No other privileges are required [3].

Successful exploitation results in the deletion of historical cluster statistics, potentially disrupting monitoring and analysis of cluster performance. The data loss could affect capacity planning and troubleshooting efforts [1].

As of the advisory, no fix has been released for the Cluster Statistics Plugin. Administrators are advised to disable the plugin if not needed or to ensure Jenkins is configured to enforce CSRF protection. The plugin remains unresolved in the public advisory [1][2].