CVE-2022-27214: CSRF vulnerability in Jenkins Release Helper Plugin
4.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.28186%
CWE
Published
3/16/2022
Updated
2/2/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.jenkins-ci.plugins:release-helper | maven | <= 1.3.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The advisory explicitly states two key flaws: 1) Missing permission check in form validation, and 2) Missing POST request requirement enabling CSRF. In Jenkins plugins, form validation methods typically follow the doCheck<FieldName>
naming pattern and would handle credential/URL validation. The combination of missing @RequirePOST
annotation and lack of permission validation in these methods matches the described attack vector.