Bug 2044460 (CVE-2022-20612)

Summary: CVE-2022-20612 jenkins: no POST request is required for the endpoint handling manual build requests which could result in CSRF
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abenaiss, adam.kaplan, aileenc, aos-bugs, bmontgom, chazlett, drieden, eparis, ggaughan, gmalinko, janstey, jburrell, jochrist, jokerman, jwon, nstielau, pbhattac, pdelbell, proguski, spandura, sponnaga, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jenkins 2.330, jenkins LTS 2.319.2 Doc Type: If docs needed, set a value
Doc Text:
A Cross-site request forgery (CSRF) vulnerability was found in Jenkins. The POST requests are not required for the HTTP endpoint handling manual build requests when no security realm is set. This flaw allows an attacker to trigger the building of a job without parameters.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-10 19:01:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2044845, 2044846, 2046487, 2046488, 2046489, 2046490    
Bug Blocks: 2044461    

Description Michael Kaplan 2022-01-24 16:33:59 UTC 
Jenkins 2.329 and earlier, LTS 2.319.1 and earlier does not require POST requests for the HTTP endpoint handling manual build requests when no security realm is set, resulting in a cross-site request forgery (CSRF) vulnerability.

Reference:

https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2558
Comment 7 errata-xmlrpc 2022-02-10 06:08:30 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2022:0339 https://access.redhat.com/errata/RHSA-2022:0339
Comment 8 errata-xmlrpc 2022-02-16 06:47:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2022:0483 https://access.redhat.com/errata/RHSA-2022:0483
Comment 9 errata-xmlrpc 2022-02-16 11:27:07 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2022:0491 https://access.redhat.com/errata/RHSA-2022:0491
Comment 10 errata-xmlrpc 2022-02-24 15:12:37 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2022:0555 https://access.redhat.com/errata/RHSA-2022:0555
Comment 11 errata-xmlrpc 2022-02-25 01:01:08 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2022:0565 https://access.redhat.com/errata/RHSA-2022:0565
Comment 14 Product Security DevOps Team 2022-03-10 19:01:21 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-20612