CVE-2022-41254 — Missing permission checks in Jenkins CONS3RT Plugin allow capturing credentials

Description

CONS3RT Plugin 1.0.0 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

How to fix CVE-2022-41254

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2022-41254 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 1.0.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-41254
PATCHgithub.com/jenkinsci/cons3rt-plugin
WEBwww.jenkins.io/security/advisory/2022-09-21/#SECURITY-2751
WEBwww.openwall.com/lists/oss-security/2022/09/21/5