Sensitive Information Exposure in Jenkins Job Import Plugin
CVE-2019-1003016

8.8HIGH

Key Information:

Vendor: Jenkins
Status: Jenkins Job Import Plugin
Vendor: CVE Published:; 6 February 2019

Summary

The Jenkins Job Import Plugin prior to version 2.1 contains a vulnerability that enables an attacker with Overall/Read permissions to connect Jenkins to a maliciously crafted URL. This is achieved by leveraging attacker-specified credential IDs, which could be obtained through various means. Such an exploit could lead to the unintended disclosure of sensitive credentials stored within Jenkins, posing significant security risks to affected installations.

Affected Version(s)

Jenkins Job Import Plugin 2.1 and earlier

References

https://jenkins.io/security/advisory/2019-01-28/#SECURITY...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability Reserved
Oct 3, 2022
Vulnerability published
Feb 6, 2019