CVE-2019-1003058

Vulnerability

A cross-site request forgery (CSRF) vulnerability exists in the Jenkins FTP publisher Plugin in the FTPPublisher.DescriptorImpl#doLoginCheck method [1][2][3]. This flaw allows an attacker to perform actions on behalf of an authenticated Jenkins user, specifically initiating a connection to an attacker-specified server. The affected plugin version(s) are those included in Jenkins installations prior to the security advisory released on 2019-04-03 [1].

Exploitation

To exploit this vulnerability, an attacker must trick a Jenkins user with the necessary permissions into visiting a malicious web page or link [1][2]. No special network position is required; the attack is performed via a standard web browser. The attacker crafts a request that targets the doLoginCheck method, causing the victim's browser to send the forged request, which then initiates a connection to a server specified by the attacker [1][3].

Impact

Successful exploitation allows the attacker to cause the Jenkins controller to initiate a connection to an attacker-specified server [1][3]. This could lead to information disclosure if the server captures data sent during the connection, or be used as a stepping stone for further attacks. The impact is constrained to the network connection initiation; however, the specific consequences depend on the attacker's server and the data transmitted [1].

Mitigation

Jenkins released a security advisory on 2019-04-03 [1]. Users should update the FTP publisher Plugin to a version that includes the fix for this vulnerability. As of the advisory, no specific workaround is mentioned [1]. The CVE is not listed in the Known Exploited Vulnerabilities (KEV) catalog at this time.