CVE-2019-1003007

Vulnerability

A cross-site request forgery (CSRF) vulnerability exists in the Jenkins Warnings Plugin versions 5.0.0 and earlier, specifically in the form validation HTTP endpoint defined in src/main/java/hudson/plugins/warnings/GroovyParser.java. The endpoint does not require a CSRF token, allowing an attacker to trigger arbitrary Groovy script compilation on the Jenkins controller without appropriate sandbox protection [1][3].

Exploitation

An attacker with Overall/Read access to Jenkins can craft a malicious link or form and trick an authenticated Jenkins user with sufficient permissions to submit a request to the vulnerable form validation endpoint. The request includes a Groovy script with AST-transforming annotations such as @Grab, which bypass the sandbox and allow execution of arbitrary code on the Jenkins controller [1].

Impact

Successful exploitation enables an attacker to execute arbitrary code on the Jenkins controller, potentially leading to full system compromise. The attacker can perform any action that the Jenkins controller process can, including reading credentials, installing malware, or pivoting to other systems [1][3].

Mitigation

Jenkins released a fix in a subsequent version of the Warnings Plugin that applies a safe Groovy compiler configuration, preventing the use of unsafe AST-transforming annotations. Users should upgrade to the latest version of the Warnings Plugin as recommended in the Jenkins security advisory [1]. No workaround is available; patching is the only mitigation [3].