CVE-2022-28136
📋 TL;DR
This CSRF vulnerability in Jenkins JiraTestResultReporter Plugin allows attackers to trick authenticated users into connecting Jenkins to attacker-controlled Jira instances using attacker-specified credentials. This could lead to data exfiltration or further attacks. All Jenkins instances with the vulnerable plugin version are affected.
💻 Affected Systems
- Jenkins JiraTestResultReporter Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could connect Jenkins to malicious Jira servers, exfiltrating sensitive build/test data, injecting malicious content into builds, or using Jenkins as a pivot point to attack internal systems.
Likely Case
Attackers could redirect Jenkins test results to attacker-controlled Jira instances, potentially exposing sensitive project data, build artifacts, or credentials stored in Jenkins.
If Mitigated
With proper CSRF protections and network segmentation, impact is limited to potential data exposure from the specific plugin functionality.
🎯 Exploit Status
Exploitation requires tricking an authenticated Jenkins user to visit a malicious page. No authentication bypass is needed beyond the CSRF attack.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 166.v8b96b3c3d78d or later
Vendor Advisory: https://www.jenkins.io/security/advisory/2022-03-29/#SECURITY-2236
Restart Required: Yes
Instructions:
1. Update Jenkins JiraTestResultReporter Plugin to version 166.v8b96b3c3d78d or later via Jenkins Plugin Manager. 2. Restart Jenkins to apply the update.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the JiraTestResultReporter Plugin if immediate patching isn't possible
Navigate to Jenkins > Manage Jenkins > Manage Plugins > Installed tab > Find JiraTestResultReporter > Click Disable
CSRF Protection Enhancement
allEnsure Jenkins CSRF protection is enabled and configured with strict origin checking
Check Jenkins > Configure Global Security > Enable 'Prevent Cross Site Request Forgery exploits'
🧯 If You Can't Patch
- Implement strict network controls to limit Jenkins outbound connections to only trusted Jira instances
- Use web application firewalls (WAF) with CSRF protection rules and monitor for suspicious plugin configuration changes
🔍 How to Verify
Check if Vulnerable:
Check Jenkins plugin version: Navigate to Jenkins > Manage Jenkins > Manage Plugins > Installed tab > Find JiraTestResultReporter and check version numberCheck Version:
Jenkins web interface: Manage Jenkins > Manage Plugins > Installed tabVerify Fix Applied:
Verify plugin version is 166.v8b96b3c3d78d or later in Jenkins Plugin Manager📡 Detection & Monitoring
Log Indicators:
- Unexpected Jira server configuration changes in Jenkins logs
- Failed authentication attempts to new Jira servers
- Plugin configuration modifications
Network Indicators:
- Jenkins outbound connections to unknown Jira servers
- Unusual traffic patterns from Jenkins to external systems
SIEM Query:
source="jenkins.log" AND ("JiraTestResultReporter" OR "jira configuration") AND ("changed" OR "updated" OR "failed")