ASA-2019-00099 – Jenkins: Cross-Site Request Forgery (CSRF) vulnerability and missing permission checks in Job Import Plugin allowed capturing credentials

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00099

Identifier(s)

ASA-2019-00099, SECURITY-905, CVE-2019-1003016

Title

Cross-Site Request Forgery (CSRF) vulnerability and missing permission checks in Job Import Plugin allowed capturing credentials

Vendor(s)

CloudBees, Inc

Product(s)

Jenkins

Affected version(s)

Job Import Plugin up to and including 2.1

Fixed version(s)

Job Import Plugin version 3.0

Proof of concept

Unknown

Description

Job Import Plugin did not check user permissions on its API endpoint used to access remote Jenkins instances. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Technical details

Unknown

Credits

Thomas Chauchefoin (Synacktiv) and Julien Szlamowicz (Synacktiv)

Reference(s)

Jenkins Security Advisory 2019-01-28
https://jenkins.io/security/advisory/2019-01-28

Jenkins Plugins
https://plugins.jenkins.io/job-import-plugin

CVE-2019-1003016
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003016

CVE-2019-1003016
https://nvd.nist.gov/vuln/detail/CVE-2019-1003016

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 24, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.