Moderate severityNVD Advisory· Published Mar 28, 2019· Updated Aug 5, 2024

CVE-2019-1003046

Description

Jenkins Fortify on Demand Uploader Plugin 3.0.10 and earlier has a CSRF vulnerability allowing attackers to initiate connections to attacker-specified servers.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins Fortify on Demand Uploader Plugin 3.0.10 and earlier has a CSRF vulnerability allowing attackers to initiate connections to attacker-specified servers.

Vulnerability

Jenkins Fortify on Demand Uploader Plugin version 3.0.10 and earlier contains a cross-site request forgery (CSRF) vulnerability in the doTestApiKeyConnection form validation method [1][2]. The method lacks a required @POST annotation and a permission check, allowing it to be invoked via a GET request without proper authentication [2].

Exploitation

An attacker can craft a malicious web page or link that, when visited by an authenticated Jenkins user with Overall/Read access, triggers a GET request to the vulnerable endpoint [1][3]. This causes Jenkins to initiate a connection to an attacker-specified server using attacker-controlled parameters (client ID, client secret, base URL, API URL) [2]. No further user interaction is needed beyond the victim clicking the malicious link.

Impact

A successful exploit allows an attacker to force Jenkins to connect to any server they control, potentially leaking information about the Jenkins environment or credentials used in the connection attempt [1]. The attacker does not gain direct access to Jenkins data but can use this as a stepping stone for further attacks, such as credential harvesting or network reconnaissance.

Mitigation

Jenkins Security Advisory 2019-03-25 fixed this vulnerability in Fortify on Demand Uploader Plugin version 3.0.11 by adding the @POST annotation and a permission check for Jenkins.ADMINISTER [1][2]. Users should upgrade to version 3.0.11 or later immediately. No workarounds are documented for older versions [1].

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins:fortify-on-demand-uploaderMaven	< 3.0.11	3.0.11

Affected products

ghsa-coords
pkg:maven/org.jenkins-ci.plugins/fortify-on-demand-uploader
Range: < 3.0.11
Jenkins Project/Fortify on Demand Plugincpe-rescue
Range: 3.0.10 and earlier

Patches

e555f8d62ef7

[SECURITY-992] Fix for security issue

https://github.com/jenkinsci/fortify-on-demand-uploader-pluginTimothy SotackMar 22, 2019via ghsa

commit

4 files changed · +19 −4

pom.xml+3 −3 modified

@@ -5,7 +5,7 @@
     <parent>
         <groupId>org.jenkins-ci.plugins</groupId>
         <artifactId>plugin</artifactId>
-        <version>2.11</version>
+        <version>2.33</version>
         <relativePath />
     </parent>
     <groupId>org.jenkins-ci.plugins</groupId>
@@ -14,9 +14,9 @@
     <packaging>hpi</packaging>
 
     <properties>
-        <jenkins.version>1.625.3</jenkins.version>
+        <jenkins.version>2.121.3</jenkins.version>
         <java.level>8</java.level>
-        <jenkins-test-harness.version>2.13</jenkins-test-harness.version>
+        <jenkins-test-harness.version>2.47</jenkins-test-harness.version>
         <disabledTestInjection>true</disabledTestInjection>
     </properties>

src/main/java/org/jenkinsci/plugins/fodupload/FodGlobalDescriptor.java+6 −0 modified

@@ -8,7 +8,9 @@
 import org.kohsuke.stapler.StaplerRequest;
 
 import java.io.IOException;
+import jenkins.model.Jenkins;
 import org.jenkinsci.plugins.fodupload.models.FodEnums.GrantType;
+import org.kohsuke.stapler.verb.POST;
 
 @Extension
 public class FodGlobalDescriptor extends GlobalConfiguration {
@@ -119,11 +121,13 @@ public boolean getAuthTypeIsPersonalToken()
     }
    
     @SuppressWarnings({"ThrowableResultOfMethodCallIgnored", "unused"})
+    @POST
     public FormValidation doTestApiKeyConnection(@QueryParameter(CLIENT_ID) final String clientId,
                                            @QueryParameter(CLIENT_SECRET) final String clientSecret,
                                            @QueryParameter(BASE_URL) final String baseUrl,
                                            @QueryParameter(API_URL) final String apiUrl)
     {
+        Jenkins.get().checkPermission(Jenkins.ADMINISTER);
         FodApiConnection testApi;
         if (Utils.isNullOrEmpty(baseUrl))
             return FormValidation.error("Fortify on Demand URL is empty!");
@@ -139,12 +143,14 @@ public FormValidation doTestApiKeyConnection(@QueryParameter(CLIENT_ID) final St
     
     // Form validation
     @SuppressWarnings({"ThrowableResultOfMethodCallIgnored", "unused"})
+    @POST
     public FormValidation doTestPersonalAccessTokenConnection( @QueryParameter(USERNAME) final String username,
                                            @QueryParameter(PERSONAL_ACCESS_TOKEN) final String personalAccessToken,
                                            @QueryParameter(TENANT_ID) final String tenantId,
                                            @QueryParameter(BASE_URL) final String baseUrl,
                                            @QueryParameter(API_URL) final String apiUrl)
     {
+        Jenkins.get().checkPermission(Jenkins.ADMINISTER);
         FodApiConnection testApi;
         if (Utils.isNullOrEmpty(baseUrl))
             return FormValidation.error("Fortify on Demand URL is empty!");

src/main/java/org/jenkinsci/plugins/fodupload/PollingBuildStep.java+5 −1 modified

@@ -26,9 +26,11 @@
 import java.io.IOException;
 import java.io.PrintStream;
 import java.net.URISyntaxException;
+import jenkins.model.Jenkins;
 import org.jenkinsci.plugins.fodupload.models.AuthenticationModel;
 import org.jenkinsci.plugins.fodupload.models.FodEnums;
 import org.kohsuke.stapler.QueryParameter;
+import org.kohsuke.stapler.verb.POST;
 
 @SuppressWarnings("unused")
 public class PollingBuildStep extends Recorder implements SimpleBuildStep {
@@ -206,9 +208,9 @@ public String getDisplayName() {
             return "Poll Fortify on Demand for Results";
         }
 
-        
          public FormValidation doCheckBsiToken(@QueryParameter String bsiToken)
         {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             if(bsiToken != null && !bsiToken.isEmpty() ){
                 BsiTokenParser tokenParser = new BsiTokenParser();
                 try{
@@ -246,10 +248,12 @@ public FormValidation doCheckPollingInterval(@QueryParameter String pollingInter
         // Form validation
         @SuppressWarnings({"ThrowableResultOfMethodCallIgnored", "unused"})
         @SuppressFBWarnings("NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE")
+        @POST
         public FormValidation doTestPersonalAccessTokenConnection( @QueryParameter(USERNAME) final String username,
                                                @QueryParameter(PERSONAL_ACCESS_TOKEN) final String personalAccessToken,
                                                @QueryParameter(TENANT_ID) final String tenantId)
         {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             FodApiConnection testApi;
             String baseUrl = GlobalConfiguration.all().get(FodGlobalDescriptor.class).getBaseUrl();
             String apiUrl =  GlobalConfiguration.all().get(FodGlobalDescriptor.class).getApiUrl();

src/main/java/org/jenkinsci/plugins/fodupload/StaticAssessmentBuildStep.java+5 −0 modified

@@ -33,8 +33,10 @@
 import java.io.PrintStream;
 import java.io.UnsupportedEncodingException;
 import java.net.URISyntaxException;
+import jenkins.model.Jenkins;
 import org.jenkinsci.plugins.fodupload.models.AuthenticationModel;
 import org.kohsuke.stapler.QueryParameter;
+import org.kohsuke.stapler.verb.POST;
 
 
 @SuppressWarnings("unused")
@@ -226,6 +228,7 @@ public boolean isApplicable(Class<? extends AbstractProject> aClass) {
        
         public FormValidation doCheckBsiToken(@QueryParameter String bsiToken)
         {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             if(bsiToken != null && !bsiToken.isEmpty() ){
                 BsiTokenParser tokenParser = new BsiTokenParser();
                 try{
@@ -252,10 +255,12 @@ public String getDisplayName() {
         // Form validation
         @SuppressWarnings({"ThrowableResultOfMethodCallIgnored", "unused"})
         @SuppressFBWarnings("NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE")
+        @POST
         public FormValidation doTestPersonalAccessTokenConnection( @QueryParameter(USERNAME) final String username,
                                                @QueryParameter(PERSONAL_ACCESS_TOKEN) final String personalAccessToken,
                                                @QueryParameter(TENANT_ID) final String tenantId)
         {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             FodApiConnection testApi;
             String baseUrl = GlobalConfiguration.all().get(FodGlobalDescriptor.class).getBaseUrl();
             String apiUrl =  GlobalConfiguration.all().get(FodGlobalDescriptor.class).getApiUrl();

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-7jcx-j6gv-m4hfghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2019-1003046ghsaADVISORY
www.openwall.com/lists/oss-security/2019/03/28/2ghsamailing-listx_refsource_MLISTWEB
www.securityfocus.com/bid/107628ghsavdb-entryx_refsource_BIDWEB
github.com/jenkinsci/fortify-on-demand-uploader-plugin/commit/e555f8d62ef793ce221f471d7172cad847fb9252ghsaWEB
jenkins.io/security/advisory/2019-03-25/ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000