Allele Security Alert
ASA-2019-00099
Identifier(s)
ASA-2019-00099, SECURITY-905, CVE-2019-1003016
Title
Cross-Site Request Forgery (CSRF) vulnerability and missing permission checks in Job Import Plugin allowed capturing credentials
Vendor(s)
CloudBees, Inc
Product(s)
Jenkins
Affected version(s)
Job Import Plugin up to and including 2.1
Fixed version(s)
Job Import Plugin version 3.0
Proof of concept
Unknown
Description
Job Import Plugin did not check user permissions on its API endpoint used to access remote Jenkins instances. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Technical details
Unknown
Credits
Thomas Chauchefoin (Synacktiv) and Julien Szlamowicz (Synacktiv)
Reference(s)
Jenkins Security Advisory 2019-01-28
https://jenkins.io/security/advisory/2019-01-28
Jenkins Plugins
https://plugins.jenkins.io/job-import-plugin
CVE-2019-1003016
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003016
CVE-2019-1003016
https://nvd.nist.gov/vuln/detail/CVE-2019-1003016
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 24, 2019