Bug 2044460 (CVE-2022-20612) - CVE-2022-20612 jenkins: no POST request is required for the endpoint handling manual build requests which could result in CSRF
Summary: CVE-2022-20612 jenkins: no POST request is required for the endpoint handling...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-20612
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2044845 2044846 2046487 2046488 2046489 2046490
Blocks: 2044461
TreeView+ depends on / blocked
 
Reported: 2022-01-24 16:33 UTC by Michael Kaplan
Modified: 2022-03-10 19:01 UTC (History)
22 users (show)

Fixed In Version: jenkins 2.330, jenkins LTS 2.319.2
Doc Type: If docs needed, set a value
Doc Text:
A Cross-site request forgery (CSRF) vulnerability was found in Jenkins. The POST requests are not required for the HTTP endpoint handling manual build requests when no security realm is set. This flaw allows an attacker to trigger the building of a job without parameters.
Clone Of:
Environment:
Last Closed: 2022-03-10 19:01:23 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:0339 0 None None None 2022-02-10 06:08:33 UTC
Red Hat Product Errata RHSA-2022:0483 0 None None None 2022-02-16 06:47:55 UTC
Red Hat Product Errata RHSA-2022:0491 0 None None None 2022-02-16 11:27:10 UTC
Red Hat Product Errata RHSA-2022:0555 0 None None None 2022-02-24 15:12:40 UTC
Red Hat Product Errata RHSA-2022:0565 0 None None None 2022-02-25 01:01:11 UTC

Description Michael Kaplan 2022-01-24 16:33:59 UTC 
Jenkins 2.329 and earlier, LTS 2.319.1 and earlier does not require POST requests for the HTTP endpoint handling manual build requests when no security realm is set, resulting in a cross-site request forgery (CSRF) vulnerability.

Reference:

https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2558
Comment 7 errata-xmlrpc 2022-02-10 06:08:30 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2022:0339 https://access.redhat.com/errata/RHSA-2022:0339
Comment 8 errata-xmlrpc 2022-02-16 06:47:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2022:0483 https://access.redhat.com/errata/RHSA-2022:0483
Comment 9 errata-xmlrpc 2022-02-16 11:27:07 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2022:0491 https://access.redhat.com/errata/RHSA-2022:0491
Comment 10 errata-xmlrpc 2022-02-24 15:12:37 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2022:0555 https://access.redhat.com/errata/RHSA-2022:0555
Comment 11 errata-xmlrpc 2022-02-25 01:01:08 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2022:0565 https://access.redhat.com/errata/RHSA-2022:0565
Comment 14 Product Security DevOps Team 2022-03-10 19:01:21 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-20612
Note You need to log in before you can comment on or make changes to this bug.