CVE-2019-1003016 – org.jenkins-ci.plugins:job-import-plugin

Package

Manager: maven
Name: org.jenkins-ci.plugins:job-import-plugin
Vulnerable Version: >=0 <3.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00134 pctl0.33856

Details

Jenkins Job Import Plugin vulnerable to exposure of sensitive information Jenkins Job Import Plugin did not check user permissions on its API endpoint used to access remote Jenkins instances. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Job Import Plugin 3.0 will only access Jenkins instances using credentials defined in the global configuration.

Metadata

Created: 2022-05-13T01:31:34Z
Modified: 2023-10-25T23:04:27Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-57ww-2cvr-wv38/GHSA-57ww-2cvr-wv38.json
CWE IDs: ["CWE-352"]
Alternative ID: GHSA-57ww-2cvr-wv38
Finding: F076
Auto approve: 1