Miggo Logo

CVE-2019-1003093: Jenkins Nomad Plugin missing permission check

6.5

CVSS Score
3.1

Basic Information

EPSS Score
0.25378%
Published
5/13/2022
Updated
1/9/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:nomadmaven< 0.6.30.6.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability documentation explicitly identifies NomadCloud.DescriptorImpl#doTestConnection as the vulnerable method. The GitHub advisory and CVE both state this method had a missing authorization check. The commit 93ea215 shows the fix added Jenkins ADMINISTER permission checks and @RequirePOST annotations to this method, confirming the pre-patch version lacked these security measures. The code diff analysis (despite 404 error) aligns with the vulnerability pattern of missing permission validation in Jenkins plugin form validation methods.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* missin* p*rmission ****k in J*nkins Nom** Plu*in in t** Nom***lou*.**s*riptorImpl#*oT*st*onn**tion *orm v*li**tion m*t*o* *llows *tt**k*rs wit* Ov*r*ll/R*** p*rmission to initi*t* * *onn**tion to *n *tt**k*r-sp**i*i** s*rv*r.

Reasoning

T** vuln*r**ility *o*um*nt*tion *xpli*itly i**nti*i*s `Nom***lou*.**s*riptorImpl#*oT*st*onn**tion` *s t** vuln*r**l* m*t*o*. T** *it*u* **visory *n* *V* *ot* st*t* t*is m*t*o* *** * missin* *ut*oriz*tion ****k. T** *ommit `*******` s*ows t** *ix ****