VYPR
← All advisories
Moderate severityNVD Advisory· Published Feb 6, 2019· Updated Sep 17, 2024

CVE-2019-1003017

CVE-2019-1003017

Description

A data modification vulnerability exists in Jenkins Job Import Plugin 3.0 and earlier in JobImportAction.java that allows attackers to copy jobs from a preconfigured other Jenkins instance, potentially installing additional plugins necessary to load the imported job's configuration.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins Job Import Plugin 3.0 and earlier missing permission checks allow attackers to copy jobs from other Jenkins instances and install plugins.

Vulnerability

Jenkins Job Import Plugin 3.0 and earlier in JobImportAction.java does not perform permission checks on doImport and doQuery methods, allowing unauthorized copying of jobs from a configured remote Jenkins instance and potential installation of additional plugins required for those jobs [1][2][3].

Exploitation

Attackers with network access to the Jenkins controller can directly invoke the doImport or doQuery endpoints without proper authorization, as the methods lacked permission checks and were not restricted to POST requests. By exploiting this, they can copy arbitrary jobs from a remote instance configured in the plugin [3].

Impact

Successful exploitation enables attackers to modify Jenkins configuration by importing jobs, which may also trigger the automatic installation of plugins necessary to load those jobs. This can lead to unauthorized plugin installation and potential remote code execution if plugins have vulnerabilities [1][2].

Mitigation

Jenkins Job Import Plugin 3.1 introduced permission checks and HTTP method restrictions (POST only) for the affected methods. Users should upgrade to version 3.1 or later. No workaround is available. The plugin is listed in the Jenkins security advisory [1] and the fix commit is [3].

References
  1. Jenkins Security Advisory 2019-01-28
  2. NVD - CVE-2019-1003017
  3. [SECURITY-1302] · jenkinsci/job-import-plugin@8f826a6

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.jenkins-ci.plugins:job-import-pluginMaven
< 3.13.1

Affected products

3

Patches

1
8f826a684ba0

[SECURITY-1302]

https://github.com/jenkinsci/job-import-pluginEmilio EscobarJan 24, 2019via ghsa
commit
2 files changed · +12 11
  • src/main/java/org/jenkins/ci/plugins/jobimport/JobImportAction.java+12 1 modified
    @@ -56,10 +56,13 @@
 import org.jenkins.ci.plugins.jobimport.utils.CredentialsUtils.NullSafeCredentials;
 import org.jenkins.ci.plugins.jobimport.utils.RemoteItemUtils;
 import org.jenkins.ci.plugins.jobimport.utils.URLUtils;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
 import org.kohsuke.stapler.ForwardToView;
 import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.StaplerRequest;
 import org.kohsuke.stapler.StaplerResponse;
+import org.kohsuke.stapler.verb.POST;
 
 import javax.servlet.ServletException;
 import javax.xml.transform.Source;
@@ -99,8 +102,13 @@ public void doClear(final StaplerRequest request, final StaplerResponse response
     response.sendRedirect(Jenkins.get().getRootUrl() + getUrlName());
   }
 
+  @POST
+  @Restricted(NoExternalUse.class)
   public void doImport(final StaplerRequest request, final StaplerResponse response)
           throws ServletException, IOException {
+
+    Jenkins.get().checkPermission(JOB_IMPORT);
+
     final SortedMap<RemoteItem, RemoteItemImportStatus> remoteJobsImportStatus = new TreeMap<RemoteItem, RemoteItemImportStatus>();
 
     final String localFolder = request.getParameter(Constants.LOCAL_FOLDER_PARAM);
@@ -139,9 +147,12 @@ public void doImport(final StaplerRequest request, final StaplerResponse respons
             .with("remoteJobsImportStatusAvailable", remoteJobsImportStatus.size()>0)
             .generateResponse(request, response, this);
   }
-
+   @POST
   public void doQuery(final StaplerRequest request, final StaplerResponse response)
           throws ServletException, IOException {
+
+    Jenkins.get().checkPermission(JOB_IMPORT);
+
     final SortedSet<RemoteItem> remoteJobs = new TreeSet<RemoteItem>();
 
     final String remoteFolder = request.getParameter("remoteFolder");
  • src/main/java/org/jenkins/ci/plugins/jobimport/utils/URLUtils.java+0 10 modified
    @@ -52,16 +52,6 @@
  * @since 1.0
  */
 public final class URLUtils {
-    public static InputStream fetchUrl2(String url, String username, String password) throws MalformedURLException, IOException {
-        notNull(url);
-        notNull(username);
-        notNull(password);
-        URLConnection conn = new URL(url).openConnection();
-        if (!username.isEmpty()) {
-            conn.setRequestProperty("Authorization", "Basic " + DatatypeConverter.printBase64Binary((username + ":" + password).getBytes()));
-        }
-        return conn.getInputStream();
-    }
 
   public static void notNull(final Object object) {
     if (object == null) {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.