CVE-2019-1003044
Description
Cross-site request forgery in Jenkins Slack Notification Plugin 2.19 and earlier lets attackers capture stored credentials by connecting to a malicious URL.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site request forgery in Jenkins Slack Notification Plugin 2.19 and earlier lets attackers capture stored credentials by connecting to a malicious URL.
Vulnerability
The Slack Notification Plugin for Jenkins versions 2.19 and earlier contains a cross-site request forgery (CSRF) vulnerability in a form validation method. The method does not perform permission checks, allowing an attacker to specify arbitrary credentials IDs and make the plugin connect to an attacker-specified URL using those credentials [2][3].
Exploitation
An attacker must have Overall/Read access to Jenkins and obtain valid credential IDs through another method (e.g., a separate information disclosure). The attacker then crafts a malicious request (e.g., via CSRF) that, when triggered by a Jenkins user with appropriate permissions, causes the plugin to connect to an attacker-controlled URL using the specified credentials [3].
Impact
Successful exploitation allows the attacker to capture the credentials stored in Jenkins by having the server transmit them to an attacker-specified URL. The attacker gains the ability to read arbitrary credentials, potentially compromising the Jenkins instance and integrated services [2][3].
Mitigation
Jenkins released version 2.20 of the Slack Notification Plugin on 2019-03-25, which fixes this vulnerability by requiring POST requests and adding proper permission checks. Users should upgrade to version 2.20 or later. No workarounds are documented [3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:slackMaven | < 2.20 | 2.20 |
Affected products
2- Range: 2.19 and earlier
Patches
11 file changed · +7 −0
src/main/java/jenkins/plugins/slack/SlackNotifier.java+7 −0 modified@@ -34,6 +34,7 @@ import org.kohsuke.stapler.DataBoundSetter; import org.kohsuke.stapler.QueryParameter; import org.kohsuke.stapler.StaplerRequest; +import org.kohsuke.stapler.verb.POST; import java.util.NoSuchElementException; import java.util.function.Function; @@ -639,12 +640,18 @@ public String getDisplayName() { return PLUGIN_DISPLAY_NAME; } + @POST public FormValidation doTestConnection(@QueryParameter("baseUrl") final String baseUrl, @QueryParameter("teamDomain") final String teamDomain, @QueryParameter("tokenCredentialId") final String tokenCredentialId, @QueryParameter("botUser") final boolean botUser, @QueryParameter("room") final String room, @AncestorInPath Project project) { + if (project == null) { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); + } else { + project.checkPermission(Item.CONFIGURE); + } try { String targetUrl = baseUrl;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-5r8q-9fwv-2gprghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-1003044ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/03/28/2ghsamailing-listx_refsource_MLISTWEB
- www.securityfocus.com/bid/107628ghsavdb-entryx_refsource_BIDWEB
- github.com/jenkinsci/slack-plugin/commit/0268bbefdcc283effd27be5318770f7e75c6f102ghsaWEB
- jenkins.io/security/advisory/2019-03-25/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.