CVE-2019-1003016
Description
An exposure of sensitive information vulnerability exists in Jenkins Job Import Plugin 2.1 and earlier in src/main/java/org/jenkins/ci/plugins/jobimport/JobImportAction.java, src/main/java/org/jenkins/ci/plugins/jobimport/JobImportGlobalConfig.java, src/main/java/org/jenkins/ci/plugins/jobimport/model/JenkinsSite.java that allows attackers with Overall/Read permission to have Jenkins connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Job Import Plugin 2.1 and earlier allows attackers with Overall/Read permission to capture credentials by connecting to an attacker-specified URL.
Vulnerability
The Jenkins Job Import Plugin version 2.1 and earlier contains an exposure of sensitive information vulnerability in the source files JobImportAction.java, JobImportGlobalConfig.java, and JenkinsSite.java. Attackers with Overall/Read permission can exploit this to have Jenkins connect to an attacker-specified URL using attacker-specified credential IDs (obtained via another method), thereby capturing credentials stored in Jenkins [1][2].
Exploitation
An attacker requires Overall/Read permission on the Jenkins instance and must first obtain valid credential IDs through other means (e.g., separate vulnerabilities or configuration disclosure). Then, by crafting a request to the plugin, the attacker can cause Jenkins to connect to a controlled server using those credentials, which are subsequently captured [1][2].
Impact
Successful exploitation results in the disclosure of Jenkins-stored credentials, compromising the confidentiality of sensitive authentication material. This can lead to further unauthorized access within the Jenkins environment [1][2].
Mitigation
Upgrade the Jenkins Job Import Plugin to version 2.2 or later (as per the security advisory published in 2019-01-28). If an immediate upgrade is not possible, consider restricting Overall/Read permissions to trusted users only [1][2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:job-import-pluginMaven | < 3.0 | 3.0 |
Affected products
3<=2.1+ 1 more
- (no CPE)range: <=2.1
- (no CPE)range: 2.1 and earlier
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-57ww-2cvr-wv38ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-1003016ghsaADVISORY
- jenkins.io/security/advisory/2019-01-28/mitrex_refsource_CONFIRM
- jenkins.io/security/advisory/2019-01-28/ghsaWEB
News mentions
0No linked articles in our index yet.