Skip to content

Jenkins Warnings Next Generation Plugin cross-site request forgery vulnerability

High severity GitHub Reviewed Published May 13, 2022 to the GitHub Advisory Database • Updated Oct 25, 2023

Package

maven io.jenkins.plugins:warnings-ng (Maven)

Affected versions

<= 2.1.1

Patched versions

None

Description

Jenkins Warnings Next Generation Plugin has a form validation HTTP endpoint used to validate a Groovy script through compilation, which was not subject to sandbox protection. The endpoint checked for the Overall/RunScripts permission, but did not require POST requests, so it was vulnerable to cross-site request forgery (CSRF). This allowed attackers to execute arbitrary code on the Jenkins controller by applying AST transforming annotations such as @Grab to source code elements.

The affected HTTP endpoint now applies a safe Groovy compiler configuration preventing the use of unsafe AST transforming annotations. Additionally, the form validation HTTP endpoint now requires that requests be sent via POST to prevent CSRF.

References

Published by the National Vulnerability Database Feb 6, 2019
Published to the GitHub Advisory Database May 13, 2022
Last updated Oct 25, 2023
Reviewed Oct 25, 2023

Severity

High
8.8
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Weaknesses

CVE ID

CVE-2019-1003008

GHSA ID

GHSA-whf8-3h58-2w9f

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.