CVE-2022-20614

Description

Jenkins Mailer Plugin prior to 408.vd726a_1130320 and 1.34.2 does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read access to use the DNS used by the Jenkins instance to resolve an attacker-specified hostname. Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. Mailer Plugin 408.vd726a_1130320 and 1.34.2 requires POST requests and Overall/Administer permission for the affected form validation method.

How to fix CVE-2022-20614

To remediate CVE-2022-20614, upgrade the affected package to a fixed version below.

• —upgrade to 408.vd726a or later

Is CVE-2022-20614 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 391.ve4a38c1bcf4b, < 408.vd726a

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-20614
• WEBgithub.com/jenkinsci/mailer-plugin/commit/5e6051fae61a43564e22aa89cb24ed8a42a26052
• WEBwww.jenkins.io/security/advisory/2022-01-12/#SECURITY-2163
• WEBwww.oracle.com/security-alerts/cpuapr2022.html