CVE-2019-1003083
Description
Missing permission check in Jenkins Gearman Plugin allows attackers with Overall/Read to initiate connections to attacker-specified servers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing permission check in Jenkins Gearman Plugin allows attackers with Overall/Read to initiate connections to attacker-specified servers.
Vulnerability
The GearmanPluginConfig#doTestConnection form validation method in Jenkins Gearman Plugin lacks a permission check. This allows users with Overall/Read permission to initiate a connection to an attacker-specified server. Affected versions include those prior to the fix announced in the Jenkins Security Advisory 2019-04-03 [1].
Exploitation
An attacker with Overall/Read permission can send a crafted request to the doTestConnection endpoint, providing an arbitrary server address. No additional authentication or user interaction is required. The vulnerability is triggered via the form validation method, which performs the connection test without verifying the user's authorization to perform this action [3].
Impact
Successful exploitation enables the attacker to initiate outbound connections from the Jenkins controller to any server they specify. This can lead to Server-Side Request Forgery (SSRF), potentially allowing information disclosure or further network attacks.
Mitigation
The Jenkins Security Advisory 2019-04-03 [1] addresses this vulnerability. Users should update the Gearman Plugin to the latest version that includes the permission check. If no update is available, restricting Overall/Read permissions or removing the plugin may mitigate the risk. No workaround is provided in the advisory.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:gearman-pluginMaven | < 0.4.0 | 0.4.0 |
Affected products
2- Range: all versions as of 2019-04-03
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-6pj9-5q6j-j97cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-1003083ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/04/12/2ghsamailing-listx_refsource_MLISTWEB
- www.securityfocus.com/bid/107790ghsavdb-entryx_refsource_BIDWEB
- jenkins.io/security/advisory/2019-04-03/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.