Allele Security Alert
ASA-2019-00100
Identifier(s)
ASA-2019-00100, SECURITY-1302, CVE-2019-1003017
Title
Cross-Site Request Forgery (CSRF) vulnerability in Job Import Plugin allowed creating and overwriting jobs
Vendor(s)
CloudBees, Inc
Product(s)
Jenkins
Affected version(s)
Job Import Plugin up to and including 3.0
Fixed version(s)
Job Import Plugin version 3.1
Proof of concept
Unknown
Description
Job Import Plugin did not require that POST requests are sent to its /import URL, which processes requests to import jobs. This resulted in a cross-site request forgery (CSRF) vulnerability that could be exploited to create or replace jobs on the local instance if the remote Jenkins instance has different ones with the same name, or to install additional plugins, if jobs on the remote Jenkins instance reference them in their configuration.
Job Import Plugin 3.0 restricted which remote Jenkins instances jobs can be imported from, limiting how this can be exploited. From Job Import Plugin 3.1, the /import URL requires that requests are sent via POST.
Technical details
Unknown
Credits
Daniel Beck (CloudBees, Inc)
Reference(s)
Jenkins Security Advisory 2019-01-28
https://jenkins.io/security/advisory/2019-01-28
Jenkins Plugins
https://plugins.jenkins.io/job-import-plugin
CVE-2019-1003017
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003017
CVE-2019-1003017
https://nvd.nist.gov/vuln/detail/CVE-2019-1003017
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 24, 2019