Miggo Logo
Miggo Vulnerability Database
CVE-2019-1003078

CVE-2019-1003078: Jenkins VMware Lab Manager Slaves Plugin vulnerable CSRF vulnerability

6.5

CVSS Score
3.0

Basic Information

CVE ID
CVE-2019-1003078
GHSA ID
GHSA-6j5j-w6v4-rwqr
EPSS Score
0.21247%
CWE
CWE-352
Published
5/13/2022
Updated
1/30/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:labmanagermaven<= 0.2.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability documentation explicitly identifies LabManager.DescriptorImpl#doTestConnection as the vulnerable method. Jenkins form validation endpoints typically use do[Action] naming patterns. The advisory specifically mentions: 1) Missing permission checks allowing Overall/Read users to trigger connections, and 2) Lack of POST request requirement enabling CSRF. These characteristics match classic CSRF vulnerabilities in Jenkins plugins where sensitive actions aren't properly protected.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *ross-sit* r*qu*st *or**ry vuln*r**ility in J*nkins VMw*r* L** M*n***r Sl*v*s Plu*in in t** L**M*n***r.**s*riptorImpl#*oT*st*onn**tion *orm v*li**tion m*t*o* *llows *tt**k*rs to initi*t* * *onn**tion to *n *tt**k*r-sp**i*i** s*rv*r.

Reasoning

T** vuln*r**ility *o*um*nt*tion *xpli*itly i**nti*i*s `L**M*n***r.**s*riptorImpl#*oT*st*onn**tion` *s t** vuln*r**l* m*t*o*. J*nkins *orm v*li**tion *n*points typi**lly us* *o[**tion] n*min* p*tt*rns. T** **visory sp**i*i**lly m*ntions: *) Missin* p*