Impact
A cross‑site request forgery flaw exists in the Jenkins EC2 Fleet Plugin 4.2.3.539.v8fedff2a_81c3 and earlier, allowing an attacker to craft a request that causes the plugin to connect to an attacker‑specified URL using a credentials ID that the attacker already has access to, thereby exposing AWS credentials stored in Jenkins. This leads to credential theft and the possibility of unauthorized access to AWS resources.
Affected Systems
Jenkins Project Jenkins EC2 Fleet Plugin versions 4.2.3.539.v8fedff2a_81c3 and all earlier releases are affected. The vulnerability impacts any instance where the plugin is installed and enabled on a Jenkins server.
Risk and Exploitability
The CVSS score of 5.4 indicates a moderate severity. An EPSS score is not provided, and the vulnerability is not listed in the CISA KEV catalog, suggesting that documented exploitation is limited. The attack requires the attacker to already possess a valid credentials ID and to trick an authenticated Jenkins user into submitting a malicious request; it does not grant arbitrary code execution on the Jenkins server.
OpenCVE Enrichment