Description
A cross-site request forgery (CSRF) vulnerability in Jenkins EC2 Fleet Plugin 4.2.3.539.v8fedff2a_81c3 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing AWS credentials stored in Jenkins.
Published: 2026-06-24
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A cross‑site request forgery flaw exists in the Jenkins EC2 Fleet Plugin 4.2.3.539.v8fedff2a_81c3 and earlier, allowing an attacker to craft a request that causes the plugin to connect to an attacker‑specified URL using a credentials ID that the attacker already has access to, thereby exposing AWS credentials stored in Jenkins. This leads to credential theft and the possibility of unauthorized access to AWS resources.

Affected Systems

Jenkins Project Jenkins EC2 Fleet Plugin versions 4.2.3.539.v8fedff2a_81c3 and all earlier releases are affected. The vulnerability impacts any instance where the plugin is installed and enabled on a Jenkins server.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity. An EPSS score is not provided, and the vulnerability is not listed in the CISA KEV catalog, suggesting that documented exploitation is limited. The attack requires the attacker to already possess a valid credentials ID and to trick an authenticated Jenkins user into submitting a malicious request; it does not grant arbitrary code execution on the Jenkins server.

Generated by OpenCVE AI on June 24, 2026 at 20:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Jenkins EC2 Fleet Plugin to version 4.2.4 or later to eliminate the CSRF vulnerability.
  • Revoke and rotate any AWS credentials that may have been exposed through the plugin and update Jenkins with the new credentials.
  • Enable Jenkins’ global CSRF protection if not already enabled, ensuring all configuration changes require a valid CSRF token.

Generated by OpenCVE AI on June 24, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins Project
Jenkins Project jenkins Ec2 Fleet Plugin
Vendors & Products Jenkins Project
Jenkins Project jenkins Ec2 Fleet Plugin

Wed, 24 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Title Cross‑Site Request Forgery Allows Retrieval of Stored AWS Credentials in Jenkins EC2 Fleet Plugin

Wed, 24 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Title Cross‑Site Request Forgery in Jenkins EC2 Fleet Plugin Leading to AWS Credentials Exposure
Weaknesses CWE-200

Wed, 24 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Title Cross‑Site Request Forgery in Jenkins EC2 Fleet Plugin Leading to AWS Credentials Exposure
Weaknesses CWE-200
CWE-352

Wed, 24 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description A cross-site request forgery (CSRF) vulnerability in Jenkins EC2 Fleet Plugin 4.2.3.539.v8fedff2a_81c3 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing AWS credentials stored in Jenkins.
References

Subscriptions

Jenkins Project Jenkins Ec2 Fleet Plugin
cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-06-24T15:16:42.103Z

Reserved: 2026-06-24T08:41:44.358Z

Link: CVE-2026-57295

cve-icon Vulnrichment

Updated: 2026-06-24T15:16:24.145Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:41:03Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)