CVE-2022-20612 Jenkins 2.329 and earlier, LTS 2.319.1 allows attackers to carry out a CSRF attack and submit a job to the Jenkins server without any parameters.

An attacker can hijack a victim's session by tricking the user into clicking on a crafted web link. This can result in the execution of arbitrary code on the Jenkins server. The attack can be prevented by setting the security realm correctly. Jenkins versions prior to 2.329 are affected. An issue has been found in Jenkins which can result in the execution of arbitrary code on the Jenkins server. The issue is known as a cross-site request forgery or XSRF attack. This can be exploited by malicious parties to steal sensitive information or hijack sessions of legitimate users. An attacker can exploit the issue by tricking a user into clicking on a crafted web link. An attacker can send a web request to the Jenkins server via a browser. The web request can contain an X-Frame-Options header with a value of DENY. Validation of this header can be disabled by setting the header to SAME or STYLE_SAME. Once the X-Frame-Options header is set to STYLE_SAME, the X-Frame-Options header will be ignored as the request will be treated as an internal request that has come from the same host as the origin request. When a malicious user submits a request with an X-Frame-Options header that has a value of STYLE_SAME, an XSRF attack can be launched against Jenkins. The user visiting the malicious link will be redirected to a fake login page. On clicking on the

Techniques used in the Vulnerability

An attacker may use a variety of techniques when exploiting the vulnerability. The attacker can construct a web link with the help of a hyperlink shortener. This link can be placed anywhere in an unprivileged domain, such as on a website or blog post.
The user is redirected to the Jenkins server via an HTTP request. During this process, the X-Frame-Options header will be ignored and is set to STYLE_SAME by default. A victim's session will be hijacked by having them click on the crafted web link which executes arbitrary code on the Jenkins server.
When using this technique, the attacker needs to know that their victim's browser has been configured to ignore X-Frame-Options headers set to SAME and STYLE_SAME. The attacker also needs to know how Jenkins is configured and if there are any security realms defined on Jenkins.

Techniques to exploit Jenkins XSRF attack

The XSRF attack can be implemented in different ways. An attacker could send a crafted web link to the target victim and then wait for the target to visit it. The victim will be immediately redirected to a fake login page or an image where they are asked to enter their username and password, which will then be sent to the attacker's server. Another way of executing the XSRF attack is by crafting a malicious HTML document with parameters that have been set up beforehand with special values. The malicious HTML document could also contain scripts that allow an attacker to communicate back and forth with the Jenkins server remotely. This method is less reliable but allows for more flexibility when it comes to communication between Jenkins and its attackers.

Solution:

Upgrade to Jenkins 2.329
The issue can be solved by upgrading to Jenkins 2.329 or later versions which have an upstream fix for the issue.

3.1

.1. Mitigation
The issue can be mitigated by disabling the header's setting of SAME or STYLE_SAME.

Timeline

Published on: 01/12/2022 20:15:00 UTC
Last modified on: 07/29/2022 16:20:00 UTC

References

• https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2558
• http://www.openwall.com/lists/oss-security/2022/01/12/6
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-20612