A cross‑site request forgery flaw allows an attacker to invoke the Pipeline Snippet Generator and force it to instantiate configuration objects that are not standard Pipeline steps. The result can be the creation, modification, or deletion of jobs, system settings, or other internal configuration types, thereby altering Jenkins behavior or exposing sensitive data. This weakness is categorized as CWE‑352, indicating a state‑changing attack that does not require remote code execution but does grant the attacker significant influence over the system's configuration.

All releases of the Jenkins Project "Jenkins Pipeline: Groovy Plugin" up to and including version 4331.v9d06ed4658ff are affected. Any Jenkins instance that has these plug‑in versions and that exposes the Pipeline Snippet Generator is vulnerable unless the plug‑in is upgraded or the generator is disabled.

The vulnerability can be triggered by a user who already holds a valid Jenkins session cookie. Likely attack vector is a crafted HTTP POST sent to the Pipeline Snippet Generator endpoint from a malicious web page or script that the user visits while authenticated. No EPSS score is available, and the issue is not listed in the CISA KEV catalog, implying limited public exploitation to date. The exploitation path is straightforward if CSRF protection is disabled or the endpoint is exempt, and because the attacker can instantiate arbitrary configuration types the impact can reach system‑wide integrity and availability. The CVSS score is 4.3, indicating a moderate level of severity.