Miggo Logo
Miggo Vulnerability Database
CVE-2018-1999039

CVE-2018-1999039: Server-Side Request Forgery (SSRF) in Jenkins Confluence Publisher Plugin

4.3

CVSS Score
3.0

Basic Information

CVE ID
CVE-2018-1999039
GHSA ID
GHSA-5339-9974-hqj9
EPSS Score
0.07093%
CWE
CWE-918
Published
5/14/2022
Updated
1/30/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:confluence-publishermaven<= 2.0.12.0.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability centers on improper access controls in form validation. Jenkins plugin patterns indicate form validation methods are typically named doValidate* in DescriptorImpl classes. The advisory explicitly mentions ConfluenceSite.java as the vulnerable location and describes missing permission checks + CSRF vulnerability in form validation - characteristics that map to a descriptor's doValidateLogin() method handling server URL/credential validation. The $DescriptorImpl suffix reflects Jenkins' pattern for configuration descriptor inner classes.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* s*rv*r-si** r*qu*st *or**ry vuln*r**ility *xists in J*nkins *on*lu*n** Pu*lis**r Plu*in *.*.* *n* **rli*r in *on*lu*n**Sit*.j*v* t**t *llows *tt**k*rs to **v* J*nkins su*mit lo*in r*qu*sts to *n *tt**k*r-sp**i*i** *on*lu*n** s*rv*r URL wit* *tt**k*

Reasoning

T** vuln*r**ility **nt*rs on improp*r ****ss *ontrols in *orm v*li**tion. J*nkins plu*in p*tt*rns in*i**t* *orm v*li**tion m*t*o*s *r* typi**lly n*m** `*oV*li**t**` in `**s*riptorImpl` *l*ss*s. T** **visory *xpli*itly m*ntions `*on*lu*n**Sit*.j*v*` *