Server-Side Request Forgery Vulnerability in Jenkins Mattermost Notification Plugin
CVE-2019-1003026

4.3MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Mattermost Notification Plugin
Vendor: CVE Published:; 20 February 2019

What is CVE-2019-1003026?

A server-side request forgery vulnerability exists in the Jenkins Mattermost Notification Plugin, version 2.6.2 and earlier. This flaw allows attackers with Overall/Read permissions to manipulate Jenkins into connecting to an attacker-specified Mattermost server and room, enabling unauthorized message transmissions. This issue may lead to potential information disclosure and unauthorized messaging that can be exploited by malicious actors.

Affected Version(s)

Jenkins Mattermost Notification Plugin 2.6.2 and earlier

References

https://jenkins.io/security/advisory/2019-02-19/#SECURITY...

x_refsource_CONFIRM

http://www.securityfocus.com/bid/107295

vdb-entryx_refsource_BID

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 20, 2019
Vulnerability Reserved
Feb 20, 2019