CVE-2022-34817 — Cross-Site Request Forgery in Jenkins Failed Job Deactivator Plugin

Description

A cross-site request forgery (CSRF) vulnerability in Jenkins Failed Job Deactivator Plugin 1.2.1 and earlier allows attackers to disable jobs. This CSRF vulnerability is only exploitable in Jenkins 2.286 and earlier, LTS 2.277.1 and earlier. See the [LTS upgrade guide](https://www.jenkins.io/doc/upgrade-guide/2.277/#upgrading-to-jenkins-lts-2-277-2).

How to fix CVE-2022-34817

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2022-34817 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 1.2.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-34817
PATCHgithub.com/jenkinsci/failedjobdeactivator-plugin
WEBwww.jenkins.io/security/advisory/2022-06-30/#SECURITY-2061