CVE-2019-1003092
Description
Jenkins Nomad Plugin is vulnerable to CSRF, enabling attackers to initiate connections to attacker-specified servers via the doTestConnection method.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Nomad Plugin is vulnerable to CSRF, enabling attackers to initiate connections to attacker-specified servers via the doTestConnection method.
Vulnerability
A cross-site request forgery (CSRF) vulnerability exists in the Jenkins Nomad Plugin in the NomadCloud.DescriptorImpl#doTestConnection form validation method. Versions prior to the fix are affected. The vulnerability allows an attacker to initiate a connection to an attacker-specified server without proper CSRF protection. [1] [2] [3]
Exploitation
An attacker can exploit this vulnerability by tricking a Jenkins administrator into visiting a malicious page or submitting a crafted request while authenticated. The attacker does not need prior authentication but relies on the victim's session. The vulnerable method lacks a CSRF token check and does not require explicit user interaction beyond the victim's visit. [1] [4]
Impact
Successful exploitation allows an attacker to initiate an outbound connection from the Jenkins controller to an attacker-controlled server. This can be used for reconnaissance, data exfiltration, or as a stepping stone for further attacks. The impact is limited to the ability to trigger the connection, not arbitrary code execution. [1] [2] [3]
Mitigation
The fix was implemented in commit 3331d24896b815c375e528207c5572e18631c49d, which adds @RequirePOST and a permission check to the doTestConnection method [4]. The Jenkins Security Advisory 2019-04-03 recommends updating the Nomad Plugin to a version containing this fix [1]. No workarounds are documented; updating the plugin is the recommended mitigation.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:nomadMaven | < 0.5.1 | 0.5.1 |
Affected products
2- Range: all versions as of 2019-04-03
Patches
13331d24896b8commiting fix to SECURITY-1058 (#42)
1 file changed · +17 −14
src/main/java/org/jenkinsci/plugins/nomad/NomadCloud.java+17 −14 modified@@ -1,27 +1,26 @@ package org.jenkinsci.plugins.nomad; -import org.kohsuke.stapler.DataBoundConstructor; -import org.kohsuke.stapler.QueryParameter; -import hudson.Extension; - -import hudson.slaves.*; -import okhttp3.OkHttpClient; -import okhttp3.Request; import com.google.common.base.Optional; import com.google.common.base.Strings; +import hudson.Extension; import hudson.model.Descriptor; -import hudson.util.FormValidation; import hudson.model.Label; import hudson.model.Node; +import hudson.slaves.AbstractCloudImpl; +import hudson.slaves.NodeProperty; +import hudson.slaves.NodeProvisioner; +import hudson.util.FormValidation; import jenkins.model.Jenkins; -import java.util.ArrayList; -import java.util.Collection; -import java.util.Collections; -import java.util.List; +import okhttp3.OkHttpClient; +import okhttp3.Request; +import org.kohsuke.stapler.DataBoundConstructor; +import org.kohsuke.stapler.QueryParameter; +import org.kohsuke.stapler.interceptor.RequirePOST; + +import java.util.*; import java.util.concurrent.*; import java.util.logging.Level; import java.util.logging.Logger; - public class NomadCloud extends AbstractCloudImpl { private static final Logger LOGGER = Logger.getLogger(NomadCloud.class.getName()); @@ -83,7 +82,7 @@ public Collection<NodeProvisioner.PlannedNode> provision(Label label, int excess if (template != null) { try { while (excessWorkload > 0) { - + LOGGER.log(Level.INFO, "Excess workload of " + excessWorkload + ", provisioning new Jenkins slave on Nomad cluster"); final String slaveName = template.createSlaveName(); @@ -202,7 +201,9 @@ public String getDisplayName() { return "Nomad"; } + @RequirePOST public FormValidation doTestConnection(@QueryParameter("nomadUrl") String nomadUrl) { + Objects.requireNonNull(Jenkins.getInstance()).checkPermission(Jenkins.ADMINISTER); try { Request request = new Request.Builder() .url(nomadUrl + "/v1/agent/self") @@ -217,7 +218,9 @@ public FormValidation doTestConnection(@QueryParameter("nomadUrl") String nomadU } } + @RequirePOST public FormValidation doCheckName(@QueryParameter String name) { + Objects.requireNonNull(Jenkins.getInstance()).checkPermission(Jenkins.ADMINISTER); if (Strings.isNullOrEmpty(name)) { return FormValidation.error("Name must be set"); } else {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-5q63-jvc9-qphvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-1003092ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/04/12/2ghsamailing-listx_refsource_MLISTWEB
- www.securityfocus.com/bid/107790ghsavdb-entryx_refsource_BIDWEB
- github.com/jenkinsci/nomad-plugin/commit/3331d24896b815c375e528207c5572e18631c49dghsaWEB
- jenkins.io/security/advisory/2019-04-03/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.