CVE-2022-30958 – This CSRF vulnerability in Jenkins SSH Plugin a... (How to Fix)

Q: What is the severity of CVE-2022-30958?

CVE-2022-30958 has a CVSS score of 8.8 (HIGH). This CSRF vulnerability in Jenkins SSH Plugin allows attackers to trick authenticated users into unknowingly connecting to attacker-controlled SSH servers using stolen Jenkins credentials. Attackers can capture sensitive credentials stored in Jenkins. All Jenkins instances using SSH Plugin 2.6.1 or earlier are affected.

📋 TL;DR

This CSRF vulnerability in Jenkins SSH Plugin allows attackers to trick authenticated users into unknowingly connecting to attacker-controlled SSH servers using stolen Jenkins credentials. Attackers can capture sensitive credentials stored in Jenkins. All Jenkins instances using SSH Plugin 2.6.1 or earlier are affected.

💻 Affected Systems

Products:

Jenkins SSH Plugin

Versions: 2.6.1 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Jenkins with SSH Plugin installed and configured with stored credentials.

📦 What is this software?

Ssh by Jenkins

View all CVEs affecting Ssh →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete credential theft from Jenkins, leading to lateral movement, data exfiltration, and potential compromise of connected systems.

🟠

Likely Case

Attackers steal SSH credentials stored in Jenkins, enabling unauthorized access to systems using those credentials.

🟢

If Mitigated

Limited impact with proper CSRF protections, credential rotation, and network segmentation in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires tricking authenticated user to visit malicious page. Credential IDs must be obtained separately.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: SSH Plugin 2.6.2

Vendor Advisory: https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2093

Restart Required: Yes

Instructions:

1. Update Jenkins SSH Plugin to version 2.6.2 or later via Jenkins Plugin Manager. 2. Restart Jenkins after update.

🔧 Temporary Workarounds

Enable CSRF Protection

all

Ensure Jenkins CSRF protection is enabled globally

Check Jenkins Configure Global Security settings for CSRF protection

Restrict Network Access

all

Limit outbound SSH connections from Jenkins to trusted networks only

Configure firewall rules to restrict Jenkins SSH outbound traffic

🧯 If You Can't Patch

Rotate all SSH credentials stored in Jenkins immediately
Implement strict network segmentation to limit Jenkins SSH outbound connections

🔍 How to Verify

Check if Vulnerable:

Check SSH Plugin version in Jenkins Plugin Manager. If version is 2.6.1 or earlier, system is vulnerable.

Check Version:

Check Jenkins web interface: Manage Jenkins > Manage Plugins > Installed tab, search for SSH Plugin

Verify Fix Applied:

Verify SSH Plugin version is 2.6.2 or later in Jenkins Plugin Manager.

📡 Detection & Monitoring

Log Indicators:

Unexpected SSH connection attempts from Jenkins to unknown IPs
Failed SSH authentication attempts using Jenkins credentials

Network Indicators:

Outbound SSH connections from Jenkins to suspicious external IPs
SSH traffic patterns inconsistent with normal operations

SIEM Query:

source="jenkins.log" AND ("SSH connection" OR "credentials") AND ("failed" OR "unauthorized")

📊 Metadata

CVE ID: CVE-2022-30958

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: May 17, 2022

Last Updated: November 21, 2024

🔗 References

https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2093 Vendor Advisory
https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2093 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-30958, you might also want to check these: