CVE-2022-30972: 
Java vulnerability analysis and mitigation

A cross-site request forgery (CSRF) vulnerability was identified in Jenkins Storable Configs Plugin version 1.0 and earlier, tracked as CVE-2022-30972. The vulnerability was discovered and disclosed as part of the Jenkins Security Advisory published on May 17, 2022. This vulnerability affects the Storable Configs Plugin, which is a Jenkins plugin used for XML configuration handling (Jenkins Advisory).

The vulnerability stems from an HTTP endpoint that calls the XML parser but does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. This issue is coupled with CVE-2022-30971, which relates to the XML parser not being configured to prevent XML external entity (XXE) attacks. The vulnerability has been assigned a High severity (CVSS) rating (Jenkins Advisory).

The vulnerability allows attackers to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or perform server-side request forgery. The attack requires the attacker to have Item/Configure permission in Jenkins (Jenkins Advisory).

As of the advisory publication on May 17, 2022, no fix was available for the Storable Configs Plugin. Users should monitor for updates and consider implementing general CSRF protections at the web application level until a patch becomes available (Jenkins Advisory).