CVE-2022-25198
📋 TL;DR
This CSRF vulnerability in Jenkins SCP publisher Plugin allows attackers to trick authenticated users into unknowingly connecting Jenkins to attacker-controlled SSH servers using attacker-specified credentials. This affects all Jenkins instances using SCP publisher Plugin 1.8 or earlier. Attackers could potentially exfiltrate data or use Jenkins as a pivot point to attack internal systems.
💻 Affected Systems
- Jenkins SCP publisher Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain persistent access to internal SSH servers, exfiltrate sensitive data, use Jenkins as pivot to attack internal networks, or deploy malware through SCP transfers.
Likely Case
Attackers redirect SCP transfers to their servers, stealing build artifacts, credentials, or sensitive files being transferred via SCP.
If Mitigated
No impact if CSRF protections are properly implemented or plugin is updated/disabled.
🎯 Exploit Status
Exploitation requires tricking authenticated user to visit malicious page. CSRF attacks are well-understood and easy to weaponize.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.9 or later
Vendor Advisory: https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2323
Restart Required: Yes
Instructions:
1. Update Jenkins SCP publisher Plugin to version 1.9 or later via Jenkins Plugin Manager. 2. Restart Jenkins service. 3. Verify plugin version in Installed Plugins list.
🔧 Temporary Workarounds
Disable SCP publisher Plugin
allTemporarily disable the vulnerable plugin if immediate patching isn't possible
Navigate to Jenkins > Manage Jenkins > Manage Plugins > Installed tab > Find 'SCP publisher' > Click 'Disable'
Implement CSRF Protection Headers
allAdd CSRF protection headers to Jenkins web interface
Add 'hudson.security.csrf.GlobalCrumbIssuerConfiguration' to Jenkins configuration or use reverse proxy with CSRF tokens
🧯 If You Can't Patch
- Restrict Jenkins access to trusted users only with strong authentication
- Implement network segmentation to isolate Jenkins from sensitive SSH servers
🔍 How to Verify
Check if Vulnerable:
Check Jenkins Plugin Manager for SCP publisher Plugin version. If version is 1.8 or earlier, system is vulnerable.Check Version:
Check Jenkins web interface: Manage Jenkins > Manage Plugins > Installed tab > Find 'SCP publisher'Verify Fix Applied:
Verify SCP publisher Plugin version is 1.9 or later in Jenkins Plugin Manager > Installed Plugins.📡 Detection & Monitoring
Log Indicators:
- Unexpected SCP connections to unfamiliar IPs in Jenkins logs
- Failed authentication attempts on SSH servers from Jenkins IP
Network Indicators:
- SCP/SSH traffic from Jenkins to unexpected external IPs
- Unusual outbound SSH connections from Jenkins server
SIEM Query:
source="jenkins.log" AND ("SCP" OR "ssh") AND (destination_ip NOT IN allowed_ips)