CVE-2019-1003085
Description
Missing permission check in Jenkins Zephyr Enterprise Test Management Plugin allows attackers with Overall/Read to initiate connections to arbitrary servers via doTestConnection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing permission check in Jenkins Zephyr Enterprise Test Management Plugin allows attackers with Overall/Read to initiate connections to arbitrary servers via doTestConnection.
Vulnerability
The Zephyr Enterprise Test Management Plugin for Jenkins contains a missing permission check in the ZeeDescriptor#doTestConnection form validation method. This allows attackers with Overall/Read permission to trigger a connection to an attacker-specified server. The plugin versions prior to the fix released on 2019-04-03 are affected [1][3].
Exploitation
An authenticated attacker with Overall/Read permission can exploit this by sending a crafted request to the doTestConnection endpoint, providing a server URL controlled by the attacker. No additional authentication or user interaction is required. The absence of a permission check allows the method to be called by any user with the minimum permission level [1].
Impact
Successful exploitation enables the attacker to make the Jenkins controller initiate a connection to an arbitrary external server. This can result in server-side request forgery (SSRF) attacks, potentially leading to information disclosure, internal network reconnaissance, or exfiltration of Jenkins environment data [1][3].
Mitigation
A fix was released as part of the Jenkins security advisory on 2019-04-03. Users should update the Zephyr Enterprise Test Management Plugin to the latest version available from the Jenkins update center. As a workaround, restrict Overall/Read permission to trusted users only. No known exploit attempts or inclusion in the CISA KEV have been reported [1][3][4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:zephyr-enterprise-test-managementMaven | < 1.8 | 1.8 |
Affected products
2- Range: all versions as of 2019-04-03
Patches
1a2a698660c12fixed issue security-993
1 file changed · +4 −1
src/main/java/com/thed/zephyr/jenkins/reporter/ZeeDescriptor.java+4 −1 modified@@ -24,6 +24,7 @@ import javax.xml.datatype.DatatypeConfigurationException; +import jenkins.model.Jenkins; import net.sf.json.JSONArray; import net.sf.json.JSONObject; @@ -41,6 +42,7 @@ import com.thed.zephyr.jenkins.utils.rest.Release; import com.thed.zephyr.jenkins.utils.rest.RestClient; import com.thed.zephyr.jenkins.utils.rest.ServerInfo; +import org.kohsuke.stapler.verb.POST; @Extension public final class ZeeDescriptor extends BuildStepDescriptor<Publisher> { @@ -166,11 +168,12 @@ public String getDisplayName() { // } // } + @POST public FormValidation doTestConnection( @QueryParameter String serverAddress, @QueryParameter String username, @QueryParameter String password) { - + Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER); if (StringUtils.isBlank(serverAddress)) { return FormValidation.error("Please enter the server name"); }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-4p5r-2m5c-hvccghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-1003085ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/04/12/2ghsamailing-listx_refsource_MLISTWEB
- www.securityfocus.com/bid/107790ghsavdb-entryx_refsource_BIDWEB
- github.com/jenkinsci/zephyr-enterprise-test-management-plugin/commit/a2a698660c12d78e06f78c813c3ff10b4c30db16ghsaWEB
- jenkins.io/security/advisory/2019-04-03/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.