CVE-2022-20612 Overview
A cross-site request forgery (CSRF) vulnerability exists in Jenkins 2.329 and earlier, as well as LTS 2.319.1 and earlier. This vulnerability allows attackers to trigger builds of jobs without parameters when no security realm is configured. The flaw stems from insufficient CSRF token validation in the Jenkins build trigger mechanism, enabling malicious actors to craft requests that execute unauthorized actions on behalf of authenticated users.
Critical Impact
Attackers can manipulate Jenkins instances without configured security realms to trigger unauthorized job builds, potentially leading to malicious code execution in CI/CD pipelines, unauthorized deployments, or resource exhaustion.
Affected Products
- Jenkins versions 2.329 and earlier
- Jenkins LTS versions 2.319.1 and earlier
- Oracle Communications Cloud Native Core Automated Test Suite 1.9.0
Discovery Timeline
- 2022-01-12 - CVE-2022-20612 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-20612
Vulnerability Analysis
This vulnerability is classified as Cross-Site Request Forgery (CWE-352), a web application security flaw that allows attackers to induce users to perform actions they did not intend. In the context of Jenkins, the vulnerability specifically affects the job build triggering mechanism when the Jenkins instance operates without a security realm configured.
The attack requires user interaction, specifically that an authenticated user visits a malicious page while having an active session with the vulnerable Jenkins instance. The attacker cannot directly compromise confidentiality or availability, but can manipulate the integrity of the Jenkins system by triggering unauthorized builds.
Root Cause
The root cause of this vulnerability lies in the insufficient validation of CSRF tokens for build trigger requests in Jenkins. When no security realm is configured, Jenkins does not properly enforce CSRF protection for certain endpoints responsible for initiating job builds. This oversight allows external websites to craft malicious requests that the browser will automatically authenticate using the victim's existing session cookies.
Attack Vector
The attack vector is network-based and requires the victim to interact with attacker-controlled content. The exploitation scenario involves:
- An attacker identifies a Jenkins instance running a vulnerable version without a security realm configured
- The attacker crafts a malicious webpage containing hidden forms or JavaScript that targets the Jenkins build trigger endpoints
- When an authenticated Jenkins user visits the malicious page, their browser automatically sends the forged request to Jenkins
- Jenkins processes the request as legitimate, triggering job builds without proper authorization verification
The vulnerability does not require attacker privileges on the Jenkins instance, and the low attack complexity makes it accessible to unsophisticated attackers. However, user interaction is required for successful exploitation.
Detection Methods for CVE-2022-20612
Indicators of Compromise
- Unexpected job builds appearing in Jenkins build history without corresponding user activity
- Build trigger events originating from unusual referrer URLs or external sources
- Authentication logs showing sessions with build activity but no preceding user navigation within Jenkins
- Unusual patterns of parameterless job executions, particularly during off-hours
Detection Strategies
- Monitor Jenkins access logs for POST requests to build trigger endpoints with external or suspicious Referer headers
- Implement alerting for job builds initiated without corresponding authenticated user sessions in the Jenkins UI
- Review Jenkins audit logs for build activities that lack expected user interaction patterns
- Deploy web application firewalls (WAF) with CSRF detection capabilities in front of Jenkins instances
Monitoring Recommendations
- Enable comprehensive audit logging in Jenkins to capture all build trigger events and their origins
- Configure security monitoring tools to alert on builds triggered from external referrers
- Implement network monitoring to detect suspicious traffic patterns targeting Jenkins endpoints
- Regularly review build histories for anomalies that could indicate CSRF exploitation attempts
How to Mitigate CVE-2022-20612
Immediate Actions Required
- Upgrade Jenkins to version 2.330 or later (or LTS 2.319.2 or later) immediately
- Configure a security realm in Jenkins if one is not already enabled
- Review recent build history for any unauthorized or suspicious job executions
- Enable CSRF protection explicitly in Jenkins security configuration
- Audit all Jenkins instances within the organization for vulnerable versions
Patch Information
Jenkins has released security updates addressing this vulnerability. Organizations should upgrade to Jenkins 2.330 or later for the weekly release line, or LTS 2.319.2 or later for the Long-Term Support release line. For Oracle Communications Cloud Native Core Automated Test Suite users, refer to the Oracle Critical Patch Update April 2022 for patching guidance.
Detailed information about the fix is available in the Jenkins Security Advisory 2022-01-12.
Workarounds
- Configure a security realm in Jenkins to enable proper authentication and CSRF protection
- Restrict network access to Jenkins instances using firewall rules to limit exposure
- Implement reverse proxy configurations that validate Referer and Origin headers for state-changing requests
- Consider using Jenkins behind a VPN to reduce the attack surface for external CSRF attacks
# Example: Verify Jenkins version and check security realm configuration
# Check current Jenkins version
java -jar jenkins-cli.jar -s http://your-jenkins-url/ version
# Ensure CSRF protection is enabled in Jenkins configuration
# Navigate to: Manage Jenkins > Configure Global Security
# Verify "Prevent Cross Site Request Forgery exploits" is checked
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
