CVE-2019-1003086

Vulnerability

A cross-site request forgery (CSRF) vulnerability exists in the Jenkins Chef Sinatra Plugin. The flaw resides in the ChefBuilderConfiguration.DescriptorImpl#doTestConnection form validation method, which does not require a valid CSRF token. This allows an attacker to perform unauthorized actions on behalf of an authenticated user. The affected plugin versions are those before the fix included in the Jenkins Security Advisory 2019-04-03 [1].

Exploitation

An attacker can exploit this vulnerability by tricking an authenticated Jenkins user into visiting a specially crafted web page or clicking a malicious link. The attacker does not need to be authenticated or have any special permissions within Jenkins. The attack executes the doTestConnection method, sending a request to an attacker-controlled server. This is a classic CSRF attack vector [1].

Impact

Successful exploitation allows an attacker to initiate an HTTP connection from the Jenkins controller to an attacker-specified server. This can be used to probe or interact with internal network resources, potentially leading to information disclosure or further reconnaissance. The vulnerability does not directly provide remote code execution or data modification on the Jenkins controller [1][3].

Mitigation

Users should upgrade the Chef Sinatra Plugin to a version that includes the CSRF protection fix released on 2019-04-03 as part of the Jenkins Security Advisory [1]. If an upgrade is not immediately possible, administrators can disable the plugin temporarily. No other workarounds are documented in the available sources. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of this writing.