CVE-2019-1003098
Description
A CSRF vulnerability in Jenkins openid Plugin allows attackers to initiate connections to attacker-specified servers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A CSRF vulnerability in Jenkins openid Plugin allows attackers to initiate connections to attacker-specified servers.
Vulnerability
A cross-site request forgery (CSRF) vulnerability exists in the Jenkins openid Plugin in the OpenIdSsoSecurityRealm.DescriptorImpl#doValidate form validation method. This allows an attacker to trick a Jenkins administrator with sufficient permissions into making a request that initiates a connection to an attacker-specified server. The affected component is the OpenIdSsoSecurityRealm.DescriptorImpl class, and the vulnerability is triggered via the doValidate method. The vulnerability is present in all versions of the openid Plugin prior to the fix. [1] [3]
Exploitation
An attacker must have the ability to craft a malicious request and lure a Jenkins user (typically an administrator) who has access to the plugin's configuration page into performing an action such as clicking a link or visiting a specially crafted web page. The attacker does not need authentication but relies on the victim being authenticated. The CSRF attack targets the doValidate endpoint, allowing the attacker to force the server to connect to an externally specified URL without the victim's knowledge. [1] [3]
Impact
Successful exploitation allows an attacker to initiate a connection from the Jenkins server to an arbitrary attacker-specified server. This could be used for server-side request forgery (SSRF) attacks, potentially leading to information disclosure, internal network scanning, or further exploitation of internal services. The impact is limited to outbound connections initiated by the Jenkins server, and the attacker does not gain direct access to Jenkins data or credentials. [1] [3] [4]
Mitigation
Jenkins released version 2.6 of the openid Plugin on 2019-04-03 which fixes this vulnerability by adding a CSRF token check to the doValidate method. Users should update to version 2.6 or later. There is no known workaround for this issue. The vulnerability is also listed in the Jenkins Security Advisory 2019-04-03. [1] [3] [4]
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:openidMaven | < 2.4 | 2.4 |
Affected products
2- Range: all versions as of 2019-04-03
Patches
15a91a74a94e4require post and admin - SECURITY-1084 / CVE-2019-1003098 (CSRF) and CVE-2019-1003099 (permission check)
1 file changed · +7 −1
src/main/java/hudson/plugins/openid/OpenIdSsoSecurityRealm.java+7 −1 modified@@ -46,6 +46,7 @@ import org.kohsuke.stapler.QueryParameter; import org.kohsuke.stapler.Stapler; import org.kohsuke.stapler.StaplerRequest; +import org.kohsuke.stapler.interceptor.RequirePOST; import org.openid4java.OpenIDException; import org.openid4java.consumer.ConsumerException; import org.openid4java.consumer.ConsumerManager; @@ -219,7 +220,12 @@ public String getDisplayName() { return "OpenID SSO"; } - public FormValidation doValidate(@QueryParameter String endpoint) { + @RequirePOST + public FormValidation doValidate(@QueryParameter String endpoint) throws Exception { + if (!Jenkins.getActiveInstance().hasPermission(Jenkins.ADMINISTER)) { + // require admin to test + return FormValidation.ok(); + } try { new Discovery().discover(endpoint); return FormValidation.ok("OK");
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-8v26-3p83-mf2gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-1003098ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/04/12/2ghsamailing-listx_refsource_MLISTWEB
- www.securityfocus.com/bid/107790ghsavdb-entryx_refsource_BIDWEB
- github.com/jenkinsci/openid-plugin/commit/5a91a74a94e44d87cd61afc2441aab42b7542bf0ghsaWEB
- jenkins.io/security/advisory/2019-04-03/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.