Security Inspector Plugin 117.v6eecc36919c2 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to replace the generated report stored in a per-session cache and displayed to authorized users at the …​/report URL with a report based on attacker-specified report generation options. This could create confusion in users of the plugin who are expecting to see a different result. A security hardening since Jenkins 2.287 and LTS 2.277.2 prevents exploitation of this vulnerability for the Single user, multiple jobs report however, there is no fix at this time. Other report types are still affected.

References

• https://nvd.nist.gov/vuln/detail/CVE-2022-41236
• https://www.jenkins.io/security/advisory/2022-09-21/#SECURITY-2051