CVE-2019-1003084
Description
A CSRF vulnerability in the Jenkins Zephyr Enterprise Test Management Plugin allows attackers to perform SSRF by tricking a Jenkins administrator into submitting a crafted request.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A CSRF vulnerability in the Jenkins Zephyr Enterprise Test Management Plugin allows attackers to perform SSRF by tricking a Jenkins administrator into submitting a crafted request.
Vulnerability
The Jenkins Zephyr Enterprise Test Management Plugin contains a cross-site request forgery (CSRF) vulnerability in the ZeeDescriptor#doTestConnection form validation method. This allows an attacker to initiate a connection to an attacker-specified server without proper CSRF protection. The vulnerability affects versions of the plugin prior to the fix released in the 2019-04-03 security advisory [1][3].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious web page or link that, when visited by a Jenkins administrator with the plugin installed, triggers a forged request to the doTestConnection endpoint. The attacker does not need authentication but relies on the victim's active session. The request causes the Jenkins server to connect to an attacker-controlled server, potentially leaking information or enabling further attacks [1][4].
Impact
Successful exploitation allows an attacker to perform server-side request forgery (SSRF), making the Jenkins server initiate connections to arbitrary external or internal hosts. This could be used to probe internal networks, access services behind firewalls, or exfiltrate data. The vulnerability is classified as CSRF leading to SSRF [3][4].
Mitigation
The vulnerability was fixed in the Zephyr Enterprise Test Management Plugin version released on 2019-04-03 as part of the Jenkins security advisory [1]. Users should update to the latest version of the plugin. No workarounds are documented; upgrading is the recommended mitigation. The plugin is not listed on the CISA KEV as of the publication date [4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:zephyr-enterprise-test-managementMaven | < 1.8 | 1.8 |
Affected products
2- Range: all versions as of 2019-04-03
Patches
1a2a698660c12fixed issue security-993
1 file changed · +4 −1
src/main/java/com/thed/zephyr/jenkins/reporter/ZeeDescriptor.java+4 −1 modified@@ -24,6 +24,7 @@ import javax.xml.datatype.DatatypeConfigurationException; +import jenkins.model.Jenkins; import net.sf.json.JSONArray; import net.sf.json.JSONObject; @@ -41,6 +42,7 @@ import com.thed.zephyr.jenkins.utils.rest.Release; import com.thed.zephyr.jenkins.utils.rest.RestClient; import com.thed.zephyr.jenkins.utils.rest.ServerInfo; +import org.kohsuke.stapler.verb.POST; @Extension public final class ZeeDescriptor extends BuildStepDescriptor<Publisher> { @@ -166,11 +168,12 @@ public String getDisplayName() { // } // } + @POST public FormValidation doTestConnection( @QueryParameter String serverAddress, @QueryParameter String username, @QueryParameter String password) { - + Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER); if (StringUtils.isBlank(serverAddress)) { return FormValidation.error("Please enter the server name"); }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-qj8p-c733-v494ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-1003084ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/04/12/2ghsamailing-listx_refsource_MLISTWEB
- www.securityfocus.com/bid/107790ghsavdb-entryx_refsource_BIDWEB
- github.com/jenkinsci/zephyr-enterprise-test-management-plugin/commit/a2a698660c12d78e06f78c813c3ff10b4c30db16ghsaWEB
- jenkins.io/security/advisory/2019-04-03/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.