Jenkins 2.329 and earlier, LTS 2.319.1 and earlier does not require POST requests for the HTTP endpoint handling manual build requests when no security realm is set, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to trigger build of job without parameters.

Jenkins 2.330, LTS 2.319.2 requires POST requests for the affected HTTP endpoint.

References

• https://nvd.nist.gov/vuln/detail/CVE-2022-20612
• https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2558
• http://www.openwall.com/lists/oss-security/2022/01/12/6
• https://www.jenkins.io/changelog-stable/#v2.319.2
• https://www.jenkins.io/changelog/#v2.330
• https://www.oracle.com/security-alerts/cpuapr2022.html
• jenkinsci/jenkins@b5c3764