Miggo Logo

CVE-2019-1003017: Jenkins Job Import Plugin CSRF vulnerability

5.3

CVSS Score
3.0

Basic Information

EPSS Score
0.2458%
Published
5/13/2022
Updated
1/9/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:job-import-pluginmaven<= 3.03.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff shows these methods were modified to add @POST annotations and permission checks (Jenkins.get().checkPermission). The vulnerability description explicitly states the lack of POST enforcement led to CSRF. The CWE-352 mapping confirms this is a CSRF flaw. The removed fetchUrl2 in URLUtils.java appears unrelated to the CSRF vector (likely addressing a different vulnerability like XXE).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* **t* mo*i*i**tion vuln*r**ility *xists in J*nkins Jo* Import Plu*in *.* *n* **rli*r in Jo*Import**tion.j*v* t**t *llows *tt**k*rs to *opy jo*s *rom * pr**on*i*ur** ot**r J*nkins inst*n**, pot*nti*lly inst*llin* ***ition*l plu*ins n***ss*ry to lo**

Reasoning

T** *ommit *i** s*ows t**s* m*t*o*s w*r* mo*i*i** to *** @POST *nnot*tions *n* p*rmission ****ks (`J*nkins.**t().****kP*rmission`). T** vuln*r**ility **s*ription *xpli*itly st*t*s t** l**k o* POST *n*or**m*nt l** to *SR*. T** *W*-*** m*ppin* *on*irms