CVE-2019-1003081
Description
A missing permission check in Jenkins OpenShift Deployer Plugin in the DeployApplication.DeployApplicationDescriptor#doCheckLogin form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins OpenShift Deployer Plugin missing permission check allows attackers with Overall/Read to initiate connections to arbitrary servers.
Vulnerability
The Jenkins OpenShift Deployer Plugin contains a missing permission check in the DeployApplication.DeployApplicationDescriptor#doCheckLogin form validation method [1][3]. This flaw allows any user with Overall/Read permission to trigger a connection from the Jenkins controller to an attacker-specified server. The vulnerability affects all versions of the plugin prior to the fix; the affected versions include those before 1.0.4 [1].
Exploitation
An attacker with Overall/Read permission can craft a request to the doCheckLogin endpoint, supplying a server URL of their choice. The plugin will then initiate an outbound connection from the Jenkins controller to that URL [3]. No additional authentication or user interaction is required beyond the initial permission.
Impact
Successful exploitation allows the attacker to force the Jenkins controller to connect to an arbitrary external or internal server. This can be used for server-side request forgery (SSRF) attacks, network reconnaissance, or to probe internal services that are not directly accessible [1][3]. The attacker does not gain direct code execution or data modification on the Jenkins controller.
Mitigation
The vulnerability is fixed in OpenShift Deployer Plugin version 1.0.4, released as part of the Jenkins Security Advisory on 2019-04-03 [1]. Users should upgrade to this version or later. No workarounds are documented; upgrading is the recommended action.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:openshift-deployerMaven | <= 1.2.0 | — |
Affected products
3- Range: all versions as of 2019-04-03
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-m46p-rp8x-x8c4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-1003081ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/04/12/2ghsamailing-listx_refsource_MLISTWEB
- www.securityfocus.com/bid/107790ghsavdb-entryx_refsource_BIDWEB
- jenkins.io/security/advisory/2019-04-03/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.