CVE-2019-1003087
Description
Missing permission check in Jenkins Chef Sinatra Plugin allows attackers with Overall/Read to initiate a connection to an attacker-specified server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing permission check in Jenkins Chef Sinatra Plugin allows attackers with Overall/Read to initiate a connection to an attacker-specified server.
Vulnerability
The Jenkins Chef Sinatra Plugin has a missing permission check in the ChefBuilderConfiguration.DescriptorImpl#doTestConnection form validation method. This allows users with Overall/Read permission to trigger a connection to an attacker-specified server. Affected versions include all versions of the plugin up to and including the version before the fix, as noted in the Jenkins security advisory [1][3].
Exploitation
An attacker with Overall/Read permission can invoke the doTestConnection method via the Jenkins API or UI. By specifying a malicious server address, the plugin will attempt to establish a connection to that server. No additional privileges are required [1][3].
Impact
Successful exploitation allows an attacker to cause the Jenkins controller to connect to an arbitrary server. This can be leveraged for server-side request forgery (SSRF), potentially exposing internal network services or leaking sensitive information. The impact depends on the target server's responsiveness and the network configuration [1][3].
Mitigation
The Jenkins Security Advisory 2019-04-03 recommends updating the Chef Sinatra Plugin to the latest version. While no specific fixed version is mentioned in the available references, users should upgrade to the most recent plugin release. No workarounds are documented [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:sinatra-chef-builderMaven | <= 1.20 | — |
Affected products
2- Range: all versions as of 2019-04-03
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-4mvc-33v7-cqc3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-1003087ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/04/12/2ghsamailing-listx_refsource_MLISTWEB
- www.securityfocus.com/bid/107790ghsavdb-entryx_refsource_BIDWEB
- jenkins.io/security/advisory/2019-04-03/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.