4.2

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-1003043

GHSA ID

GHSA-22xp-7rcx-xp34

EPSS Score

0.39712%

CWE

CWE-862

Published

5/13/2022

Updated

10/26/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-1003043

CVE-2019-1003043: Jenkins Slack Notification Plugin missing permission check

Jenkins Slack Notification Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.

This form validation method now requires POST requests and Overall/Administer (for global configuration) or Item/Configure permissions (for job configuration).

(GitHub Advisory)

4.2

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-1003043

GHSA ID

GHSA-22xp-7rcx-xp34

EPSS Score

0.39712%

CWE

CWE-862

Published

5/13/2022

Updated

10/26/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:slack	maven	<= 2.19	2.20

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The commit diff shows the vulnerable method was modified to add @POST annotation and permission checks. The advisory explicitly states this form validation method (doTestConnection) was the attack vector. The function's pre-patch behavior matches the CWE-862 (Missing Authorization) description, as it allowed low-privileged users to trigger sensitive actions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins Sl**k Noti*i**tion Plu*in *i* not p*r*orm p*rmission ****ks on * m*t*o* impl*m*ntin* *orm v*li**tion. T*is *llow** us*rs wit* Ov*r*ll/R*** ****ss to J*nkins to *onn**t to *n *tt**k*r-sp**i*i** URL usin* *tt**k*r-sp**i*i** *r***nti*ls I*s o*t*

Reasoning

T** *ommit *i** s*ows t** vuln*r**l* m*t*o* w*s mo*i*i** to *** @POST *nnot*tion *n* p*rmission ****ks. T** **visory *xpli*itly st*t*s t*is *orm `v*li**tion` m*t*o* (`*oT*st*onn**tion`) w*s t** *tt**k v**tor. T** *un*tion's pr*-p*t** ****vior m*t***s

4.2

Basic Information

Concerned about an active attack path?

CVE-2019-1003043: Jenkins Slack Notification Plugin missing permission check

4.2

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI