CVE-2018-1000414
Description
A cross-site request forgery vulnerability exists in Jenkins Config File Provider Plugin 3.1 and earlier in ConfigFilesManagement.java, FolderConfigFileAction.java that allows creating and editing configuration file definitions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A CSRF vulnerability in Jenkins Config File Provider Plugin allows attackers to create or edit configuration files by tricking a user into visiting a malicious page.
Vulnerability
A cross-site request forgery vulnerability exists in Jenkins Config File Provider Plugin version 3.1 and earlier [1]. The vulnerability resides in ConfigFilesManagement.java and FolderConfigFileAction.java, where methods for saving and adding configuration files did not require POST requests, allowing CSRF attacks that could create or edit configuration file definitions [2][3].
Exploitation
An attacker can craft a malicious HTML page that, when visited by an authenticated Jenkins user with the required permissions (e.g., Administer or Configure for folders), triggers a forged request to the plugin's endpoints, creating or modifying configuration files without the user's knowledge [1].
Impact
Successful exploitation allows an attacker to create or edit configuration file definitions, potentially altering the behavior of Jenkins builds or leaking sensitive information. The exact impact depends on the content and use of the configuration files [1].
Mitigation
The vulnerability was fixed in Config File Provider Plugin version 3.2, released as part of the Jenkins security advisory on 2018-09-25 [1]. The fix adds @POST annotations to the vulnerable methods [3]. Users should upgrade to version 3.2 or later.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:config-file-providerMaven | < 3.2 | 3.2 |
Affected products
2- Range: 2.8.1, config-file-provider-2.10.0, config-file-provider-2.10.1, …
Patches
15c1df554e44b[SECURITY-938][SECURITY-1080]
4 files changed · +14 −8
src/main/java/org/jenkinsci/plugins/configfiles/ConfigFilesManagement.java+3 −0 modified@@ -47,6 +47,7 @@ of this software and associated documentation files (the "Software"), to deal import org.kohsuke.stapler.StaplerProxy; import org.kohsuke.stapler.StaplerRequest; import org.kohsuke.stapler.StaplerResponse; +import org.kohsuke.stapler.verb.POST; /** * Provides a new link in the "Manage Jenkins" view and builds the UI to manage the configfiles. @@ -131,6 +132,7 @@ public Collection<Config> getConfigs() { * @param req * @return */ + @POST public HttpResponse doSaveConfig(StaplerRequest req) { checkPermission(Hudson.ADMINISTER); try { @@ -189,6 +191,7 @@ public void doEditConfig(StaplerRequest req, StaplerResponse rsp, @QueryParamete * @throws IOException * @throws ServletException */ + @POST public void doAddConfig(StaplerRequest req, StaplerResponse rsp, @QueryParameter("providerId") String providerId, @QueryParameter("configId") String configId) throws IOException, ServletException { checkPermission(Hudson.ADMINISTER);
src/main/java/org/jenkinsci/plugins/configfiles/folder/FolderConfigFileAction.java+3 −0 modified@@ -41,6 +41,7 @@ import jenkins.model.TransientActionFactory; import net.sf.json.JSONObject; +import org.kohsuke.stapler.verb.POST; public class FolderConfigFileAction implements Action, ConfigFilesUIContract, StaplerProxy { @@ -116,6 +117,7 @@ public List<ConfigProvider> getProviders() { } @Override + @POST public HttpResponse doSaveConfig(StaplerRequest req) throws IOException, ServletException { checkPermission(Item.CONFIGURE); try { @@ -175,6 +177,7 @@ public void doEditConfig(StaplerRequest req, StaplerResponse rsp, @QueryParamete @Override + @POST public void doAddConfig(StaplerRequest req, StaplerResponse rsp, @QueryParameter("providerId") String providerId, @QueryParameter("configId") String configId) throws IOException, ServletException { checkPermission(Item.CONFIGURE);
src/main/resources/lib/configfiles/configfiles.jelly+4 −4 modified@@ -37,7 +37,7 @@ THE SOFTWARE. <tr valign="center" style="border-top: 0px;"> <td class="pane-header" colspan="2"> <i> - <j:out value="${pEntry.key.displayName}"/> + ${pEntry.key.displayName} </i> </td> </tr> @@ -56,16 +56,16 @@ THE SOFTWARE. </td> <td> <i> - <j:out value="${t.name}"/> + ${t.name} </i> </td> </tr> <tr> <td> - <j:out value="${t.contentType}"/> + ${t.contentType} </td> <td> - <j:out value="${t.comment}"/> + ${t.comment} </td> </tr> </j:forEach>
src/main/resources/lib/configfiles/providerlist.jelly+4 −4 modified@@ -36,7 +36,7 @@ THE SOFTWARE. <table class="pane"> <tr valign="center" style="border-top: 0px;"> <td class="pane-header" colspan="2"> - <i><j:out value="${p.displayName}" /></i> + <i>${p.displayName}</i> </td> </tr> <j:forEach var="t" items="${p.allConfigs}"> @@ -53,12 +53,12 @@ THE SOFTWARE. </a> </td> <td > - <i><j:out value="${t.name}" /></i> + <i>${t.name}</i> </td> </tr> <tr> - <td><j:out value="${t.contentType}" /></td> - <td><j:out value="${t.comment}" /></td> + <td>${t.contentType}</td> + <td>${t.comment}</td> </tr> </j:forEach> </table>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-r5m8-5mwx-cmj8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1000414ghsaADVISORY
- www.securityfocus.com/bid/106532ghsavdb-entryx_refsource_BIDWEB
- github.com/jenkinsci/config-file-provider-plugin/commit/5c1df554e44b712e5d926b8d5557c592bf9f0a33ghsaWEB
- jenkins.io/security/advisory/2018-09-25/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.