CVE-2018-8718
Description
Cross-site request forgery (CSRF) vulnerability in the Mailer Plugin 1.20 for Jenkins 2.111 allows remote authenticated users to send unauthorized mail as an arbitrary user via a /descriptorByName/hudson.tasks.Mailer/sendTestMail request.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSRF in Jenkins Mailer Plugin 1.20 allows authenticated users to send unauthorized mail as any user via a crafted request.
Vulnerability
The Mailer Plugin version 1.20 for Jenkins 2.111 contains a cross-site request forgery (CSRF) vulnerability in the /descriptorByName/hudson.tasks.Mailer/sendTestMail endpoint. The doSendTestMail method lacked @RequirePOST and did not enforce Jenkins ADMINISTER permission, making it susceptible to CSRF attacks. This affects Mailer Plugin up to and including version 1.20 [1][2][4].
Exploitation
An attacker must be an authenticated Jenkins user and trick another authenticated user into visiting a crafted page or URL that triggers a POST request to /descriptorByName/hudson.tasks.Mailer/sendTestMail. No additional privileges or special network position is required beyond access to a Jenkins instance [1][2][3].
Impact
A successful CSRF attack allows the attacker to send test emails on behalf of any Jenkins user, including administrators. The email can be sent to arbitrary addresses, potentially used for phishing or other social engineering attacks. The attacker does not gain control of the Jenkins server itself but can abuse the mailer functionality to impersonate users [1][2].
Mitigation
Jenkins released Mailer Plugin version 1.21 on 2018-03-26, which adds @RequirePOST and checkPermission(Jenkins.ADMINISTER) to the doSendTestMail method, preventing CSRF and restricting the endpoint to administrators [3][4]. Users should upgrade to version 1.21 or later. No workaround is available for earlier versions.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:mailerMaven | < 1.21 | 1.21 |
Affected products
2- Range: =1.20
Patches
198e79cf90476[SECURITY-774] Only allow admins to send test email
1 file changed · +4 −0
src/main/java/hudson/tasks/Mailer.java+4 −0 modified@@ -86,6 +86,7 @@ import jenkins.tasks.SimpleBuildStep; import net.sf.json.JSONObject; import org.kohsuke.accmod.restrictions.DoNotUse; +import org.kohsuke.stapler.interceptor.RequirePOST; /** * {@link Publisher} that sends the build result in e-mail. @@ -551,6 +552,7 @@ public FormValidation doCheckDefaultSuffix(@QueryParameter String value) { * @throws ServletException * @throws InterruptedException */ + @RequirePOST public FormValidation doSendTestMail( @QueryParameter String smtpServer, @QueryParameter String adminAddress, @QueryParameter boolean useSMTPAuth, @QueryParameter String smtpAuthUserName, @QueryParameter Secret smtpAuthPasswordSecret, @@ -562,6 +564,8 @@ public FormValidation doSendTestMail( if (jenkins == null) { throw new IOException("Jenkins instance is not ready"); } + + jenkins.checkPermission(Jenkins.ADMINISTER); if (!useSMTPAuth) { smtpAuthUserName = null;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- www.exploit-db.com/exploits/44843/mitreexploitx_refsource_EXPLOIT-DB
- github.com/advisories/GHSA-6g57-h38c-q52gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-8718ghsaADVISORY
- www.openwall.com/lists/oss-security/2018/03/26/3ghsamailing-listx_refsource_MLISTWEB
- www.securityfocus.com/bid/103691ghsavdb-entryx_refsource_BIDWEB
- github.com/jenkinsci/mailer-plugin/commit/98e79cf904769907f83894e29f50ed6b3e7eb135ghsaWEB
- jenkins.io/security/advisory/2018-03-26ghsaWEB
- jenkins.io/security/advisory/2018-03-26/mitrex_refsource_CONFIRM
- www.exploit-db.com/exploits/44843ghsaWEB
News mentions
0No linked articles in our index yet.