CVE-2019-1003082

Vulnerability

A cross-site request forgery (CSRF) vulnerability exists in the Jenkins Gearman Plugin in the GearmanPluginConfig#doTestConnection form validation method. This allows an attacker to trick a Jenkins user with the necessary permissions into initiating a connection to an attacker-specified server. The affected versions include Gearman Plugin before the fix released on 2019-04-03 [1][3].

Exploitation

To exploit this vulnerability, an attacker must craft a malicious web page or link that, when accessed by a Jenkins user with appropriate permissions (e.g., a Jenkins administrator or user with access to the plugin configuration), triggers a forged request to the Jenkins server. The request targets the doTestConnection endpoint, and the attacker provides the address of a server they control. The attacker does not need authentication on the Jenkins instance, but the victim user must have the ability to access the plugin configuration page [1][3].

Impact

Successful exploitation allows the attacker to cause the Jenkins server to initiate a network connection to an attacker-specified server. This can lead to information disclosure, such as the attacker learning about the Jenkins network environment, or could be used to further probe internal network services. The connection is initiated from the Jenkins controller. No code execution or data modification on the Jenkins server is directly achieved, but it can be a stepping stone for more targeted attacks [1][3].

Mitigation

The vulnerability is fixed in Gearman Plugin versions released after 2019-04-03. Users should update to the latest version of the plugin available from the Jenkins update center. No workarounds are documented. The plugin is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1][3].