CVE-2022-36886 — External Monitor Job Type Plugin does not require POST requests for an HTTP endp

Description

Jenkins External Monitor Job Type Plugin 191.v363d0d1efdf8 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to create runs of an external job. External Monitor Job Type Plugin 192.ve979ca_8b_3ccd requires POST requests for the affected HTTP endpoint.

How to fix CVE-2022-36886

To remediate CVE-2022-36886, upgrade the affected package to a fixed version below.

—upgrade to 192.ve979ca_8b_3ccd or later

Is CVE-2022-36886 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 192.ve979ca_8b_3ccd

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-36886
WEBgithub.com/jenkinsci/external-monitor-job-plugin/commit/e979ca8b3ccd8cf2b098533e1529d104b6bfd7da
WEBwww.jenkins.io/security/advisory/2022-07-27/#SECURITY-2762
WEBwww.openwall.com/lists/oss-security/2022/07/27/1