CVE-2022-27198 — CSRF vulnerability in Jenkins CloudBees AWS Credentials Plugin

Description

A cross-site request forgery (CSRF) vulnerability in Jenkins CloudBees AWS Credentials Plugin 189.v3551d5642995 and earlier allows attackers with Overall/Read permission to connect to an AWS service using an attacker-specified token.

How to fix CVE-2022-27198

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2022-27198 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 189.v3551d5642995

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.0	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-27198
PATCHgithub.com/jenkinsci/aws-credentials-plugin
WEBgithub.com/jenkinsci/aws-credentials-plugin/commit/cbf183ce58b955f17d93fdc1ac4d19a8ebe693db
WEBwww.jenkins.io/security/advisory/2022-03-15/#SECURITY-2351