CVE-2019-1003059

Vulnerability

The FTP publisher Plugin for Jenkins (FTPPublisher) contains a missing permission check in the FTPPublisher.DescriptorImpl#doLoginCheck method. This allows users with the Overall/Read permission, which is granted by default to most authenticated users, to trigger a connection to an attacker-specified FTP server. Affected versions include the FTP publisher Plugin as listed in the Jenkins Security Advisory 2019-04-03 [1].

Exploitation

An attacker with Overall/Read permission can craft a request to the doLoginCheck endpoint, specifying an attacker-controlled FTP server address. The plugin will initiate an outbound connection to that server, without requiring any other authorization or user interaction [1]. No authentication other than the default Jenkins user permissions is needed.

Impact

Successfully exploiting this issue allows the attacker to induce the Jenkins controller to connect to an arbitrary FTP server. This can be used to probe internal network services (server-side request forgery) or to exfiltrate data to an attacker-controlled endpoint. However, the impact is limited to initiating the connection; the severity is rated Low [1][3].

Mitigation

The Jenkins Security Advisory recommends upgrading the FTP publisher Plugin to a fixed version. As of the advisory date (2019-04-03), users should update the plugin to the latest available version that includes the permission check [1]. If no updated version is available, consider removing the plugin or restricting the Overall/Read permission for untrusted users.