CVE-2022-23111 — CSRF vulnerability and missing permission checks in Jenkins Publish Over SSH Plu

Description

A cross-site request forgery (CSRF) vulnerability in Jenkins Publish Over SSH Plugin 1.22 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials.

How to fix CVE-2022-23111

To remediate CVE-2022-23111, upgrade the affected package to a fixed version below.

Maven/org.jenkins-ci.plugins:publish-over-ssh—upgrade to 1.23 or later

Is CVE-2022-23111 being exploited?

Moderate — EPSS is 9.8%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

from 0, < 1.23

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-23111
PATCHgithub.com/jenkinsci/publish-over-ssh-plugin
WEBgithub.com/jenkinsci/publish-over-ssh-plugin/commit/21bf41adbce9e71d3f77e113e29bf81d437cadc3
WEBgithub.com/jenkinsci/publish-over-ssh-plugin/releases/tag/publish-over-ssh-1.23