CVE-2019-1003077: Missing permission check in Jenkins Audit to Database Plugin
6.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.17128%
CWE
Published
5/13/2022
Updated
1/30/2024
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.jenkins-ci.plugins:audit2db | maven | <= 0.5 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability documentation explicitly identifies DbAuditPublisherDescriptorImpl#doTestJdbcConnection
as the vulnerable method through multiple authoritative sources (CVE description, GHSA advisory, and Jenkins security advisory). The CWE-862 classification confirms this is an authorization bypass issue. Form validation methods in Jenkins typically require POST
requests and permission checks, both of which were missing here. The function's purpose (testing JDBC connections) combined with the missing security controls creates a clear SSRF vector.