Miggo Logo

CVE-2019-1003043: Jenkins Slack Notification Plugin missing permission check

4.2

CVSS Score
3.0

Basic Information

EPSS Score
0.39712%
Published
5/13/2022
Updated
10/26/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:slackmaven<= 2.192.20

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff shows the vulnerable method was modified to add @POST annotation and permission checks. The advisory explicitly states this form validation method (doTestConnection) was the attack vector. The function's pre-patch behavior matches the CWE-862 (Missing Authorization) description, as it allowed low-privileged users to trigger sensitive actions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins Sl**k Noti*i**tion Plu*in *i* not p*r*orm p*rmission ****ks on * m*t*o* impl*m*ntin* *orm v*li**tion. T*is *llow** us*rs wit* Ov*r*ll/R*** ****ss to J*nkins to *onn**t to *n *tt**k*r-sp**i*i** URL usin* *tt**k*r-sp**i*i** *r***nti*ls I*s o*t*

Reasoning

T** *ommit *i** s*ows t** vuln*r**l* m*t*o* w*s mo*i*i** to *** @POST *nnot*tion *n* p*rmission ****ks. T** **visory *xpli*itly st*t*s t*is *orm `v*li**tion` m*t*o* (`*oT*st*onn**tion`) w*s t** *tt**k v**tor. T** *un*tion's pr*-p*t** ****vior m*t***s