Miggo Logo

CVE-2022-27214: CSRF vulnerability in Jenkins Release Helper Plugin

4.3

CVSS Score
3.1

Basic Information

EPSS Score
0.28186%
Published
3/16/2022
Updated
2/2/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:release-helpermaven<= 1.3.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The advisory explicitly states two key flaws: 1) Missing permission check in form validation, and 2) Missing POST request requirement enabling CSRF. In Jenkins plugins, form validation methods typically follow the doCheck<FieldName> naming pattern and would handle credential/URL validation. The combination of missing @RequirePOST annotation and lack of permission validation in these methods matches the described attack vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *ross-sit* r*qu*st *or**ry (*SR*) vuln*r**ility in J*nkins R*l**s* **lp*r Plu*in *.*.* *n* **rli*r *llows *tt**k*rs to *onn**t to *n *tt**k*r-sp**i*i** URL usin* *tt**k*r-sp**i*i** *r***nti*ls.

Reasoning

T** **visory *xpli*itly st*t*s two k*y *l*ws: *) Missin* p*rmission ****k in *orm v*li**tion, *n* *) Missin* POST r*qu*st r*quir*m*nt *n**lin* *SR*. In J*nkins plu*ins, *orm v*li**tion m*t*o*s typi**lly *ollow t** `*o****k<*i*l*N*m*>` n*min* p*tt*rn