CVE-2019-1003008

Vulnerability

A cross-site request forgery (CSRF) vulnerability exists in Jenkins Warnings Next Generation Plugin version 2.1.1 and earlier [1][2]. The flaw is located in src/main/java/io/jenkins/plugins/analysis/warnings/groovy/GroovyParser.java and affects a form validation HTTP endpoint that does not require a CSRF token [1][2]. This endpoint was originally provided for parsing Groovy scripts as part of the plugin's functionality.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious web page or link that, when visited by an authenticated Jenkins user, triggers a request to the vulnerable form validation endpoint. No special privileges are required beyond the victim being logged into Jenkins. The attack is performed by sending a crafted POST or GET request to the form validation endpoint without proper CSRF protection [1][2].

Impact

Successful exploitation allows an attacker to execute arbitrary code on the Jenkins controller with the permissions of the victim user. This can lead to complete compromise of the Jenkins instance, including potential access to build artifacts, credentials, and the ability to execute builds or scripts [1][2]. The vulnerability is classified as high severity.

Mitigation

The vulnerability is fixed in Warnings Next Generation Plugin version 2.1.2, released on 2019-01-28 [1]. Users should upgrade to at least version 2.1.2 immediately. For users unable to upgrade, no workaround is provided other than to restrict access to the plugin's form validation endpoint or disable the plugin entirely. The plugin is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of this writing.