ASA-2019-00105 – Jenkins: Monitoring Plugin did not apply Cross-Site Request Forgery (CSRF) protection even if enabled in Jenkins

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00105

Identifier(s)

ASA-2019-00105, SECURITY-1153, CVE-2019-1003022

Title

Monitoring Plugin did not apply Cross-Site Request Forgery (CSRF) protection even if enabled in Jenkins

Vendor(s)

Jenkins project

Product(s)

Jenkins Monitoring Plugin

Affected version(s)

Monitoring Plugin up to and including 1.74.0

Fixed version(s)

Monitoring Plugin version 1.75.0

Proof of concept

Unknown

Description

Monitoring Plugin provides a standalone JavaMelody servlet with an independent CSRF protection configuration. Even if Jenkins had CSRF protection enabled, Monitoring Plugin may not have it enabled.

Technical details

Unknown

Credits

Daniel Beck (CloudBees, Inc)

Reference(s)

Jenkins Security Advisory 2019-01-28
https://jenkins.io/security/advisory/2019-01-28

Jenkins Plugins
https://plugins.jenkins.io/monitoring

CVE-2019-1003022
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003022

CVE-2019-1003022
https://nvd.nist.gov/vuln/detail/CVE-2019-1003022

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: March 6, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.