Allele Security Alert
ASA-2019-00099, SECURITY-905, CVE-2019-1003016
Cross-Site Request Forgery (CSRF) vulnerability and missing permission checks in Job Import Plugin allowed capturing credentials
Job Import Plugin up to and including 2.1
Job Import Plugin version 3.0
Proof of concept
Job Import Plugin did not check user permissions on its API endpoint used to access remote Jenkins instances. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Thomas Chauchefoin (Synacktiv) and Julien Szlamowicz (Synacktiv)
Jenkins Security Advisory 2019-01-28
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 24, 2019