Allele Security Alert
ASA-2019-00105
Identifier(s)
ASA-2019-00105, SECURITY-1153, CVE-2019-1003022
Title
Monitoring Plugin did not apply Cross-Site Request Forgery (CSRF) protection even if enabled in Jenkins
Vendor(s)
Jenkins project
Product(s)
Jenkins Monitoring Plugin
Affected version(s)
Monitoring Plugin up to and including 1.74.0
Fixed version(s)
Monitoring Plugin version 1.75.0
Proof of concept
Unknown
Description
Monitoring Plugin provides a standalone JavaMelody servlet with an independent CSRF protection configuration. Even if Jenkins had CSRF protection enabled, Monitoring Plugin may not have it enabled.
Technical details
Unknown
Credits
Daniel Beck (CloudBees, Inc)
Reference(s)
Jenkins Security Advisory 2019-01-28
https://jenkins.io/security/advisory/2019-01-28
Jenkins Plugins
https://plugins.jenkins.io/monitoring
CVE-2019-1003022
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003022
CVE-2019-1003022
https://nvd.nist.gov/vuln/detail/CVE-2019-1003022
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: March 6, 2019