Moderate severityNVD Advisory· Published Mar 28, 2019· Updated Aug 5, 2024

CVE-2019-1003047

Description

Jenkins Fortify on Demand Uploader Plugin 3.0.10 and earlier lacks a permission check, allowing users with Overall/Read to connect to an attacker-controlled server.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins Fortify on Demand Uploader Plugin 3.0.10 and earlier lacks a permission check, allowing users with Overall/Read to connect to an attacker-controlled server.

Vulnerability

A missing permission check in Jenkins Fortify on Demand Uploader Plugin version 3.0.10 and earlier allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server [1]. The method doTestApiKeyConnection in FodGlobalDescriptor was not protected by the @POST annotation and lacked an Administer permission check, making it reachable via a GET request without proper authorization [2].

Exploitation

An attacker needs only Overall/Read permission on a Jenkins instance. By sending a crafted HTTP GET request to the form validation endpoint, the attacker can cause the plugin to connect to an attacker-specified server using attacker-supplied credentials (client ID, client secret, base URL, API URL) [2]. No additional privileges or user interaction is required beyond the basic read access [1].

Impact

Successful exploitation allows the attacker to force the Jenkins server to make HTTP connections to an arbitrary server controlled by the attacker. This could be used to probe internal networks, exfiltrate data via the request, or perform a server-side request forgery (SSRF) attack. The attacker does not gain code execution or elevated privileges on the Jenkins controller itself, but can abuse the server's network position [1][2].

Mitigation

Jenkins Fortify on Demand Uploader Plugin version 3.0.11 fixes this issue by requiring the Administer permission and enforcing POST requests [2]. The fix was included in the Jenkins Security Advisory 2019-03-25 [1]. Users should update to version 3.0.11 or later. No workaround is available if the plugin cannot be updated.

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins:fortify-on-demand-uploaderMaven	< 3.0.11	3.0.11

Affected products

ghsa-coords
pkg:maven/org.jenkins-ci.plugins/fortify-on-demand-uploader
Range: < 3.0.11
Jenkins Project/Fortify on Demand Plugincpe-rescue
Range: 3.0.10 and earlier

Patches

e555f8d62ef7

[SECURITY-992] Fix for security issue

https://github.com/jenkinsci/fortify-on-demand-uploader-pluginTimothy SotackMar 22, 2019via ghsa

commit

4 files changed · +19 −4

pom.xml+3 −3 modified

@@ -5,7 +5,7 @@
     <parent>
         <groupId>org.jenkins-ci.plugins</groupId>
         <artifactId>plugin</artifactId>
-        <version>2.11</version>
+        <version>2.33</version>
         <relativePath />
     </parent>
     <groupId>org.jenkins-ci.plugins</groupId>
@@ -14,9 +14,9 @@
     <packaging>hpi</packaging>
 
     <properties>
-        <jenkins.version>1.625.3</jenkins.version>
+        <jenkins.version>2.121.3</jenkins.version>
         <java.level>8</java.level>
-        <jenkins-test-harness.version>2.13</jenkins-test-harness.version>
+        <jenkins-test-harness.version>2.47</jenkins-test-harness.version>
         <disabledTestInjection>true</disabledTestInjection>
     </properties>

src/main/java/org/jenkinsci/plugins/fodupload/FodGlobalDescriptor.java+6 −0 modified

@@ -8,7 +8,9 @@
 import org.kohsuke.stapler.StaplerRequest;
 
 import java.io.IOException;
+import jenkins.model.Jenkins;
 import org.jenkinsci.plugins.fodupload.models.FodEnums.GrantType;
+import org.kohsuke.stapler.verb.POST;
 
 @Extension
 public class FodGlobalDescriptor extends GlobalConfiguration {
@@ -119,11 +121,13 @@ public boolean getAuthTypeIsPersonalToken()
     }
    
     @SuppressWarnings({"ThrowableResultOfMethodCallIgnored", "unused"})
+    @POST
     public FormValidation doTestApiKeyConnection(@QueryParameter(CLIENT_ID) final String clientId,
                                            @QueryParameter(CLIENT_SECRET) final String clientSecret,
                                            @QueryParameter(BASE_URL) final String baseUrl,
                                            @QueryParameter(API_URL) final String apiUrl)
     {
+        Jenkins.get().checkPermission(Jenkins.ADMINISTER);
         FodApiConnection testApi;
         if (Utils.isNullOrEmpty(baseUrl))
             return FormValidation.error("Fortify on Demand URL is empty!");
@@ -139,12 +143,14 @@ public FormValidation doTestApiKeyConnection(@QueryParameter(CLIENT_ID) final St
     
     // Form validation
     @SuppressWarnings({"ThrowableResultOfMethodCallIgnored", "unused"})
+    @POST
     public FormValidation doTestPersonalAccessTokenConnection( @QueryParameter(USERNAME) final String username,
                                            @QueryParameter(PERSONAL_ACCESS_TOKEN) final String personalAccessToken,
                                            @QueryParameter(TENANT_ID) final String tenantId,
                                            @QueryParameter(BASE_URL) final String baseUrl,
                                            @QueryParameter(API_URL) final String apiUrl)
     {
+        Jenkins.get().checkPermission(Jenkins.ADMINISTER);
         FodApiConnection testApi;
         if (Utils.isNullOrEmpty(baseUrl))
             return FormValidation.error("Fortify on Demand URL is empty!");

src/main/java/org/jenkinsci/plugins/fodupload/PollingBuildStep.java+5 −1 modified

@@ -26,9 +26,11 @@
 import java.io.IOException;
 import java.io.PrintStream;
 import java.net.URISyntaxException;
+import jenkins.model.Jenkins;
 import org.jenkinsci.plugins.fodupload.models.AuthenticationModel;
 import org.jenkinsci.plugins.fodupload.models.FodEnums;
 import org.kohsuke.stapler.QueryParameter;
+import org.kohsuke.stapler.verb.POST;
 
 @SuppressWarnings("unused")
 public class PollingBuildStep extends Recorder implements SimpleBuildStep {
@@ -206,9 +208,9 @@ public String getDisplayName() {
             return "Poll Fortify on Demand for Results";
         }
 
-        
          public FormValidation doCheckBsiToken(@QueryParameter String bsiToken)
         {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             if(bsiToken != null && !bsiToken.isEmpty() ){
                 BsiTokenParser tokenParser = new BsiTokenParser();
                 try{
@@ -246,10 +248,12 @@ public FormValidation doCheckPollingInterval(@QueryParameter String pollingInter
         // Form validation
         @SuppressWarnings({"ThrowableResultOfMethodCallIgnored", "unused"})
         @SuppressFBWarnings("NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE")
+        @POST
         public FormValidation doTestPersonalAccessTokenConnection( @QueryParameter(USERNAME) final String username,
                                                @QueryParameter(PERSONAL_ACCESS_TOKEN) final String personalAccessToken,
                                                @QueryParameter(TENANT_ID) final String tenantId)
         {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             FodApiConnection testApi;
             String baseUrl = GlobalConfiguration.all().get(FodGlobalDescriptor.class).getBaseUrl();
             String apiUrl =  GlobalConfiguration.all().get(FodGlobalDescriptor.class).getApiUrl();

src/main/java/org/jenkinsci/plugins/fodupload/StaticAssessmentBuildStep.java+5 −0 modified

@@ -33,8 +33,10 @@
 import java.io.PrintStream;
 import java.io.UnsupportedEncodingException;
 import java.net.URISyntaxException;
+import jenkins.model.Jenkins;
 import org.jenkinsci.plugins.fodupload.models.AuthenticationModel;
 import org.kohsuke.stapler.QueryParameter;
+import org.kohsuke.stapler.verb.POST;
 
 
 @SuppressWarnings("unused")
@@ -226,6 +228,7 @@ public boolean isApplicable(Class<? extends AbstractProject> aClass) {
        
         public FormValidation doCheckBsiToken(@QueryParameter String bsiToken)
         {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             if(bsiToken != null && !bsiToken.isEmpty() ){
                 BsiTokenParser tokenParser = new BsiTokenParser();
                 try{
@@ -252,10 +255,12 @@ public String getDisplayName() {
         // Form validation
         @SuppressWarnings({"ThrowableResultOfMethodCallIgnored", "unused"})
         @SuppressFBWarnings("NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE")
+        @POST
         public FormValidation doTestPersonalAccessTokenConnection( @QueryParameter(USERNAME) final String username,
                                                @QueryParameter(PERSONAL_ACCESS_TOKEN) final String personalAccessToken,
                                                @QueryParameter(TENANT_ID) final String tenantId)
         {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             FodApiConnection testApi;
             String baseUrl = GlobalConfiguration.all().get(FodGlobalDescriptor.class).getBaseUrl();
             String apiUrl =  GlobalConfiguration.all().get(FodGlobalDescriptor.class).getApiUrl();

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-h3rg-4h5g-8fqgghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2019-1003047ghsaADVISORY
www.openwall.com/lists/oss-security/2019/03/28/2ghsamailing-listx_refsource_MLISTWEB
www.securityfocus.com/bid/107628ghsavdb-entryx_refsource_BIDWEB
github.com/jenkinsci/fortify-on-demand-uploader-plugin/commit/e555f8d62ef793ce221f471d7172cad847fb9252ghsaWEB
jenkins.io/security/advisory/2019-03-25/ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000