Miggo Logo
Miggo Vulnerability Database
CVE-2019-1003092

CVE-2019-1003092:
Cross-site request forgery vulnerability in Jenkins Nomad Plugin

6.5

CVSS Score
3.0

Basic Information

CVE ID
CVE-2019-1003092
GHSA ID
GHSA-5q63-jvc9-qphv
EPSS Score
0.37242%
CWE
CWE-352
Published
5/13/2022
Updated
8/13/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:nomadmaven< 0.5.10.5.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two critical missing protections in doTestConnection: 1) Absence of @RequirePOST annotation made it vulnerable to CSRF via GET requests. 2) Missing Jenkins.ADMINISTER permission check allowed low-privilege users to trigger the action. The patch explicitly adds both protections (visible in the commit diff), confirming these were the vulnerability vectors. The CWE-352 classification and advisory descriptions directly match this scenario.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *ross-sit* r*qu*st *or**ry vuln*r**ility in J*nkins Nom** Plu*in in t** Nom***lou*.**s*riptorImpl#*oT*st*onn**tion *orm v*li**tion m*t*o* *llows *tt**k*rs to initi*t* * *onn**tion to *n *tt**k*r-sp**i*i** s*rv*r.

Reasoning

T** vuln*r**ility st*ms *rom two *riti**l missin* prot**tions in `*oT*st*onn**tion`: *) **s*n** o* @R*quir*POST *nnot*tion m*** it vuln*r**l* to *SR* vi* **T r*qu*sts. *) Missin* `J*nkins.**MINIST*R` p*rmission ****k *llow** low-privil*** us*rs to tr