CVE-2022-30969 – A CSRF vulnerability in Jenkins Autocomplete Pa... (How to Fix)

Q: What is the severity of CVE-2022-30969?

CVE-2022-30969 has a CVSS score of 8.8 (HIGH). A CSRF vulnerability in Jenkins Autocomplete Parameter Plugin allows attackers to trick authenticated administrators into executing arbitrary code without sandbox restrictions. This affects Jenkins instances with the vulnerable plugin installed where administrators access malicious web content. Attackers can achieve remote code execution with administrator privileges.

📋 TL;DR

A CSRF vulnerability in Jenkins Autocomplete Parameter Plugin allows attackers to trick authenticated administrators into executing arbitrary code without sandbox restrictions. This affects Jenkins instances with the vulnerable plugin installed where administrators access malicious web content. Attackers can achieve remote code execution with administrator privileges.

💻 Affected Systems

Products:

Jenkins Autocomplete Parameter Plugin

Versions: 1.1 and earlier

Operating Systems: All platforms running Jenkins

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the vulnerable plugin to be installed and an administrator to be tricked into visiting a malicious page while authenticated.

📦 What is this software?

Autocomplete Parameter by Jenkins

View all CVEs affecting Autocomplete Parameter →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through remote code execution with administrator privileges, allowing installation of backdoors, data theft, and lateral movement.

🟠

Likely Case

Attacker gains persistent access to Jenkins server, can modify builds, steal credentials, and access connected systems.

🟢

If Mitigated

No impact if proper CSRF protections are enabled and administrators avoid untrusted web content.

🌐 Internet-Facing: HIGH - Jenkins instances exposed to the internet are prime targets for CSRF attacks via malicious websites.

🏢 Internal Only: MEDIUM - Internal administrators could still be tricked via phishing or compromised internal sites.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires social engineering to trick administrators but technical complexity is low once the victim visits malicious content.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2

Vendor Advisory: https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2322

Restart Required: Yes

Instructions:

1. Update Jenkins Autocomplete Parameter Plugin to version 1.2 or later via Jenkins Plugin Manager. 2. Restart Jenkins service. 3. Verify plugin version in Installed Plugins list.

🔧 Temporary Workarounds

Enable CSRF Protection

all

Ensure Jenkins CSRF protection is enabled in global security settings

Navigate to Manage Jenkins > Configure Global Security > Enable 'Prevent Cross Site Request Forgery exploits'

Remove Vulnerable Plugin

all

Uninstall the Autocomplete Parameter Plugin if not required

Navigate to Manage Jenkins > Plugin Manager > Installed > Uncheck Autocomplete Parameter Plugin > Apply

🧯 If You Can't Patch

Restrict administrator access to trusted networks only
Implement web application firewall rules to block suspicious CSRF patterns

🔍 How to Verify

Check if Vulnerable:

Check installed plugin version via Manage Jenkins > Plugin Manager > Installed plugins > Autocomplete Parameter

Check Version:

curl -s http://jenkins-host/pluginManager/installed | grep -A5 'Autocomplete Parameter'

Verify Fix Applied:

Verify plugin version is 1.2 or higher in Installed Plugins list

📡 Detection & Monitoring

Log Indicators:

Unusual plugin configuration changes
Unexpected Groovy script execution
Administrative actions from unexpected IPs

Network Indicators:

HTTP POST requests to /descriptorByName/... endpoints with suspicious parameters
Outbound connections to unknown destinations after plugin actions

SIEM Query:

source="jenkins.log" AND ("Autocomplete Parameter" OR "descriptorByName") AND (POST OR configChange)

📊 Metadata

CVE ID: CVE-2022-30969

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: May 17, 2022

Last Updated: November 21, 2024

🔗 References

https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2322 Vendor Advisory
https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2322 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-30969, you might also want to check these: