CVE-2022-41236 in Security Inspector Plugininfo

Summary

by MITRE • 09/21/2022

A cross-site request forgery (CSRF) vulnerability in Jenkins Security Inspector Plugin 117.v6eecc36919c2 and earlier allows attackers to replace the generated report stored in a per-session cache and displayed to authorized users at the .../report URL with a report based on attacker-specified report generation options.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 05/28/2025

The vulnerability identified as CVE-2022-41236 represents a critical cross-site request forgery weakness within the Jenkins Security Inspector Plugin version 117.v6eecc36919c2 and earlier releases. This flaw exists in the plugin's handling of session-based report generation and caching mechanisms, creating a pathway for malicious actors to manipulate security report content displayed to authorized users. The vulnerability specifically targets the .../report URL endpoint where security reports are cached and subsequently rendered for administrators and other privileged users who access the Jenkins instance.

The technical implementation of this CSRF vulnerability stems from insufficient validation of request origins and lack of proper anti-CSRF token verification within the plugin's report generation workflow. When authorized users navigate to the report URL, the system retrieves a cached report that was previously generated based on specific parameters. An attacker can exploit this by crafting malicious requests that manipulate the report generation options stored in the session cache, effectively replacing legitimate security reports with attacker-controlled content. This occurs because the plugin does not adequately verify that requests modifying cached reports originate from legitimate user sessions or contain proper authentication tokens.

The operational impact of this vulnerability extends beyond simple content manipulation, as it can enable sophisticated attacks targeting security monitoring and compliance processes. Authorized users who regularly access security reports may unknowingly view maliciously crafted reports that could contain false positives, misleading information, or even contain embedded malicious code. The attack vector allows for persistent manipulation of security data that administrators rely upon for decision-making processes, potentially masking actual security threats or creating false security postures that could delay proper incident response. This vulnerability particularly affects organizations that depend on Jenkins for security auditing and compliance reporting, where the integrity of security reports is paramount for maintaining secure infrastructure.

Organizations should implement immediate mitigations including upgrading to the patched version of the Jenkins Security Inspector Plugin, which addresses the CSRF vulnerability through proper request validation and token implementation. Additionally, administrators should consider implementing network-level protections such as web application firewalls that can detect and block suspicious CSRF patterns targeting the affected endpoints. The vulnerability aligns with CWE-352, which specifically addresses Cross-Site Request Forgery weaknesses, and maps to ATT&CK technique T1566.001 for credential harvesting through phishing and social engineering. Security teams should also conduct comprehensive audits of all Jenkins plugins to identify similar CSRF vulnerabilities and establish proper session management protocols that ensure all state-changing operations require proper authentication verification and origin validation.

Reservation

09/21/2022

Disclosure

09/21/2022

Moderation

accepted

CPE

ready

EPSS

0.00372

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!