Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS01N3d3LTJjdnItd3YzOM4AAQ7G

Jenkins Job Import Plugin vulnerable to exposure of sensitive information

Jenkins Job Import Plugin did not check user permissions on its API endpoint used to access remote Jenkins instances. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Job Import Plugin 3.0 will only access Jenkins instances using credentials defined in the global configuration.

Permalink: https://github.com/advisories/GHSA-57ww-2cvr-wv38
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01N3d3LTJjdnItd3YzOM4AAQ7G
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: 7 months ago

CVSS Score: 4.3
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Identifiers: GHSA-57ww-2cvr-wv38, CVE-2019-1003016
References:

Blast Radius: 1.0

Affected Packages

maven:org.jenkins-ci.plugins:job-import-plugin

Affected Version Ranges: <= 2.1
Fixed in: 3.0