Miggo Logo
Miggo Vulnerability Database
CVE-2019-1003099

CVE-2019-1003099: Jenkins openid Plugin missing permission check

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-1003099
GHSA ID
GHSA-3f3p-qhfv-7p8h
EPSS Score
0.25378%
CWE
CWE-862
Published
5/13/2022
Updated
1/9/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:openidmaven< 2.42.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability documentation explicitly identifies OpenIdSsoSecurityRealm.DescriptorImpl#doValidate as the vulnerable method. The GitHub commit 5a91a74 shows the fix added both @RequirePOST annotation and Jenkins.ADMINISTER permission checks, confirming the original implementation lacked these security measures. This matches the CWE-862 (Missing Authorization) classification by allowing unauthorized users to initiate network connections.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* missin* p*rmission ****k in J*nkins op*ni* Plu*in in t** Op*nI*SsoS**urityR**lm.**s*riptorImpl#*oV*li**t* *orm v*li**tion m*t*o* *llows *tt**k*rs wit* Ov*r*ll/R*** p*rmission to initi*t* * *onn**tion to *n *tt**k*r-sp**i*i** s*rv*r.

Reasoning

T** vuln*r**ility *o*um*nt*tion *xpli*itly i**nti*i*s `Op*nI*SsoS**urityR**lm.**s*riptorImpl#*oV*li**t*` *s t** vuln*r**l* m*t*o*. T** *it*u* *ommit `*******` s*ows t** *ix ***** *ot* `@R*quir*POST` *nnot*tion *n* `J*nkins.**MINIST*R` p*rmission ****