CVE-2022-20612: CSRF
First published: Wed Jan 12 2022(Updated: )
A cross-site request forgery (CSRF) vulnerability in Jenkins 2.329 and earlier, LTS 2.319.1 and earlier allows attackers to trigger build of job without parameters when no security realm is set.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.jenkins-ci.main:jenkins-core | >=2.320<2.330 | 2.330 |
| maven/org.jenkins-ci.main:jenkins-core | <2.319.2 | 2.319.2 |
| Jenkins Jenkins | <=2.319.1 | |
| Jenkins Jenkins | <=2.329 | |
| Oracle Communications Cloud Native Core Automated Test Suite | =1.9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2022-20612
- https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2558
- http://www.openwall.com/lists/oss-security/2022/01/12/6
- https://www.jenkins.io/changelog-stable/#v2.319.2
- https://www.jenkins.io/changelog/#v2.330
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://github.com/jenkinsci/jenkins/commit/b5c3764681f3b4ce83d0e78f6a9327925640d57e
- https://github.com/advisories/GHSA-p92q-7fhh-mq35 (Advisory)
Frequently Asked Questions
What is CVE-2022-20612?
CVE-2022-20612 is a cross-site request forgery (CSRF) vulnerability in Jenkins 2.329 and earlier LTS 2.319.1 and earlier that allows attackers to trigger a build of a job without proper authorization.
How does CVE-2022-20612 affect Jenkins?
CVE-2022-20612 affects Jenkins 2.329 and earlier LTS 2.319.1 and earlier versions by allowing unauthorized triggering of job builds through a CSRF attack.
What is the severity of CVE-2022-20612?
CVE-2022-20612 has a severity rating of 4.3, which is considered medium.
How can I fix CVE-2022-20612 in Jenkins?
To fix CVE-2022-20612 in Jenkins, you need to upgrade to version 2.330 or later.
Where can I find more information about CVE-2022-20612?
You can find more information about CVE-2022-20612 in the following references: [Openwall](http://www.openwall.com/lists/oss-security/2022/01/12/6), [Jenkins Security Advisory](https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2558), [Oracle Security Advisory](https://www.oracle.com/security-alerts/cpuapr2022.html).
- collector/github-advisory-latest
- alias/GHSA-p92q-7fhh-mq35
- alias/CVE-2022-20612
- collector/github-advisory
- agent/references
- agent/weakness
- agent/author
- agent/description
- agent/type
- agent/event
- agent/last-modified-date
- agent/softwarecombine
- agent/remedy
- agent/first-publish-date
- agent/tags
- agent/severity
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/nvd-cve
- package-manager/maven
- vendor/jenkins
- canonical/jenkins jenkins
- version/jenkins jenkins/2.319.1
- version/jenkins jenkins/2.329
- vendor/oracle
- canonical/oracle communications cloud native core automated test suite
- version/oracle communications cloud native core automated test suite/1.9.0