Miggo Logo

CVE-2019-1003076: CSRF vulnerability in Jenkins Audit to Database Plugin

6.5

CVSS Score
3.0

Basic Information

EPSS Score
0.37242%
Published
5/13/2022
Updated
1/30/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:audit2dbmaven<= 0.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The CVE description explicitly identifies DbAuditPublisherDescriptorImpl#doTestJdbcConnection as the vulnerable method. The advisory states it lacks both permission checks (allowing low-privileged users to trigger connections) and CSRF protections (no POST requirement). This matches the CWE-352 (CSRF) classification and the attack vector described in Jenkins' security advisory.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *ross-sit* r*qu*st *or**ry vuln*r**ility in J*nkins *u*it to **t***s* Plu*in in t** ***u*itPu*lis**r**s*riptorImpl#*oT*stJ****onn**tion *orm v*li**tion m*t*o* *llows *tt**k*rs to initi*t* * *onn**tion to *n *tt**k*r-sp**i*i** s*rv*r.

Reasoning

T** *V* **s*ription *xpli*itly i**nti*i*s `***u*itPu*lis**r**s*riptorImpl#*oT*stJ****onn**tion` *s t** vuln*r**l* m*t*o*. T** **visory st*t*s it l**ks *ot* p*rmission ****ks (*llowin* low-privil**** us*rs to tri***r *onn**tions) *n* *SR* prot**tions