GHSA-85rq-hp8x-ghjq

GitHub Security Advisory

Cross-Site Request Forgery in Jenkins Mailer Plugin

✓ GitHub Reviewed MODERATE Has CVE

Jenkins Mailer Plugin prior to 408.vd726a_1130320 and 1.34.2 does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read access to use the DNS used by the Jenkins instance to resolve an attacker-specified hostname.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Mailer Plugin 408.vd726a_1130320 and 1.34.2 require POST requests and Overall/Administer permission for the affected form validation method.

Maven org.jenkins-ci.plugins:mailer

Affected versions: 391.ve4a38c1bcf4b (fixed in 408.vd726a)

Maven org.jenkins-ci.plugins:mailer

Affected versions: 0 (fixed in 1.34.2)

CVE-2022-20613

GHSA ID

GHSA-85rq-hp8x-ghjq

Published

January 13, 2022 12:01 AM

Last Modified

October 27, 2023 4:15 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins:mailer

GitHub Reviewed

✓ Yes

Last updated: August 25, 2025 6:33 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.