CVE-2022-28150 – This CSRF vulnerability in Jenkins Job and Node... (How to Fix)

Q: What is the severity of CVE-2022-28150?

CVE-2022-28150 has a CVSS score of 8.8 (HIGH). This CSRF vulnerability in Jenkins Job and Node ownership Plugin allows attackers to change job owners and permissions without authentication. It affects Jenkins instances with the vulnerable plugin installed, potentially enabling unauthorized access and privilege escalation.

📋 TL;DR

This CSRF vulnerability in Jenkins Job and Node ownership Plugin allows attackers to change job owners and permissions without authentication. It affects Jenkins instances with the vulnerable plugin installed, potentially enabling unauthorized access and privilege escalation.

💻 Affected Systems

Products:

Jenkins Job and Node ownership Plugin

Versions: 0.13.0 and earlier

Operating Systems: All OS where Jenkins runs

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the plugin to be installed and enabled in Jenkins; default Jenkins installations may not have it.

📦 What is this software?

Job And Node Ownership by Jenkins

View all CVEs affecting Job And Node Ownership →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could take over jobs, modify permissions to gain administrative control, and disrupt CI/CD pipelines, leading to data theft or system compromise.

🟠

Likely Case

Unauthorized users change job ownership to gain access to sensitive build data or execute malicious actions within Jenkins.

🟢

If Mitigated

With CSRF protections or network segmentation, impact is limited to minor configuration changes if exploited.

🌐 Internet-Facing: HIGH, as CSRF attacks can be launched remotely via malicious websites targeting exposed Jenkins instances.

🏢 Internal Only: MEDIUM, as internal attackers or phishing could still exploit it, but requires user interaction.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires tricking an authenticated user into visiting a malicious site; no public exploit code is known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.13.1 or later

Vendor Advisory: https://www.jenkins.io/security/advisory/2022-03-29/#SECURITY-2062%20%281%29

Restart Required: Yes

Instructions:

1. Update Jenkins to a supported version. 2. Navigate to Manage Jenkins > Plugin Manager. 3. Update 'Job and Node ownership Plugin' to version 0.13.1 or later. 4. Restart Jenkins to apply changes.

🔧 Temporary Workarounds

Disable the plugin

all

Temporarily disable the vulnerable plugin to prevent exploitation.

Navigate to Manage Jenkins > Plugin Manager, find 'Job and Node ownership Plugin', and disable it.

Implement CSRF protections

all

Enable Jenkins CSRF protection and use security headers to mitigate attacks.

Set 'hudson.security.csrf.GlobalCrumbIssuerConfiguration' to true in Jenkins configuration.

🧯 If You Can't Patch

Restrict network access to Jenkins to trusted users only.
Monitor for unauthorized changes to job ownership and permissions.

🔍 How to Verify

Check if Vulnerable:

Check the plugin version in Jenkins: Go to Manage Jenkins > Plugin Manager, find 'Job and Node ownership Plugin', and verify if version is 0.13.0 or earlier.

Check Version:

In Jenkins, use the URL: http://<jenkins-url>/pluginManager/installed to list plugins and versions.

Verify Fix Applied:

After updating, confirm the plugin version is 0.13.1 or later in Plugin Manager.

📡 Detection & Monitoring

Log Indicators:

Log entries showing unexpected changes to job ownership or permissions in Jenkins logs.

Network Indicators:

Unusual HTTP POST requests to Jenkins endpoints related to job configuration from untrusted sources.

SIEM Query:

Example: search for 'jenkins' AND 'job ownership change' in access logs with status 200.

📊 Metadata

CVE ID: CVE-2022-28150

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: March 29, 2022

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2022/03/29/1 Mailing List,Third Party Advisory
https://www.jenkins.io/security/advisory/2022-03-29/#SECURITY-2062%20%281%29 Vendor Advisory
http://www.openwall.com/lists/oss-security/2022/03/29/1 Mailing List,Third Party Advisory
https://www.jenkins.io/security/advisory/2022-03-29/#SECURITY-2062%20%281%29 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28150, you might also want to check these: