CVE-2022-20612 — Cross-Site Request Forgery in Jenkins

Description

Jenkins 2.329 and earlier, LTS 2.319.1 and earlier does not require POST requests for the HTTP endpoint handling manual build requests when no security realm is set, resulting in a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to trigger build of job without parameters. Jenkins 2.330, LTS 2.319.2 requires POST requests for the affected HTTP endpoint.

How to fix CVE-2022-20612

To remediate CVE-2022-20612, upgrade the affected package to a fixed version below.

—upgrade to 2.329.1 or later
—upgrade to 2.330 or later

Is CVE-2022-20612 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2.329.1
>= 2.320, < 2.330

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-20612
PATCHgithub.com/jenkinsci/jenkins
WEBgithub.com/jenkinsci/jenkins/commit/b5c3764681f3b4ce83d0e78f6a9327925640d57e
WEBwww.jenkins.io/changelog-stable/#v2.319.2
WEB