Allele Security Alert
ASA-2019-00100, SECURITY-1302, CVE-2019-1003017
Cross-Site Request Forgery (CSRF) vulnerability in Job Import Plugin allowed creating and overwriting jobs
Job Import Plugin up to and including 3.0
Job Import Plugin version 3.1
Proof of concept
Job Import Plugin did not require that POST requests are sent to its /import URL, which processes requests to import jobs. This resulted in a cross-site request forgery (CSRF) vulnerability that could be exploited to create or replace jobs on the local instance if the remote Jenkins instance has different ones with the same name, or to install additional plugins, if jobs on the remote Jenkins instance reference them in their configuration.
Job Import Plugin 3.0 restricted which remote Jenkins instances jobs can be imported from, limiting how this can be exploited. From Job Import Plugin 3.1, the /import URL requires that requests are sent via POST.
Daniel Beck (CloudBees, Inc)
Jenkins Security Advisory 2019-01-28
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 24, 2019