4.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-41249

GHSA ID

GHSA-6cvr-rvpm-9wx4

EPSS Score

0.2655%

CWE

CWE-352

Published

9/22/2022

Updated

2/2/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-41249

CVE-2022-41249:
Jenkins SCM HttpClient Plugin vulnerable to Cross-Site Request Forgery

SCM HttpClient Plugin 1.5 and earlier does not perform permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

(GitHub Advisory)

4.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-41249

GHSA ID

GHSA-6cvr-rvpm-9wx4

EPSS Score

0.2655%

CWE

CWE-352

Published

9/22/2022

Updated

2/2/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.meowlomo.jenkins:scm-httpclient	maven	<= 1.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description explicitly states: 1) A form validation method lacks permission checks, 2) It accepts non-POST requests. In Jenkins plugins, form validation methods are typically named doCheck<FieldName> or similar, and security requires both permission verification (e.g., Jenkins.get().checkPermission(...)) and @RequirePOST annotations. The combination of these missing protections matches the described CSRF/credential capture vulnerability pattern.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

S*M *ttp*li*nt Plu*in *.* *n* **rli*r *o*s not p*r*orm p*rmission ****k in * m*t*o* impl*m*ntin* *orm v*li**tion. T*is *llows *tt**k*rs wit* Ov*r*ll/R*** p*rmission to *onn**t to *n *tt**k*r-sp**i*i** *TTP s*rv*r usin* *tt**k*r-sp**i*i** *r***nti*ls

Reasoning

T** vuln*r**ility **s*ription *xpli*itly st*t*s: *) * *orm `v*li**tion` m*t*o* l**ks p*rmission ****ks, *) It ****pts non-POST r*qu*sts. In `J*nkins` plu*ins, *orm `v*li**tion` m*t*o*s *r* typi**lly n*m** `*o****k<*i*l*N*m*>` or simil*r, *n* s**urity

4.2

Basic Information

Concerned about an active attack path?

CVE-2022-41249: Jenkins SCM HttpClient Plugin vulnerable to Cross-Site Request Forgery

4.2

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-41249:
Jenkins SCM HttpClient Plugin vulnerable to Cross-Site Request Forgery

Vulnerability Intelligence
Miggo AI