CVE-2019-1003016

MEDIUM4.3EPSS 0.16%

Jenkins Job Import Plugin vulnerable to exposure of sensitive information

Published: 5/13/2022Modified: 2/16/2024

Description

Jenkins Job Import Plugin did not check user permissions on its API endpoint used to access remote Jenkins instances. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Job Import Plugin 3.0 will only access Jenkins instances using credentials defined in the global configuration.

Affected packages (1)

Maven/org.jenkins-ci.plugins:job-import-pluginfrom 0, < 3.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

References (2)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-1003016
WEBhttps://jenkins.io/security/advisory/2019-01-28/#SECURITY-905%20(2)