CVE-2019-1003099
Description
The Jenkins openid Plugin lacks a permission check in its form validation method, allowing attackers with Overall/Read permission to perform SSRF.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Jenkins openid Plugin lacks a permission check in its form validation method, allowing attackers with Overall/Read permission to perform SSRF.
Vulnerability
The Jenkins openid Plugin contains a missing permission check in the OpenIdSsoSecurityRealm.DescriptorImpl#doValidate form validation method. This allows users with Overall/Read permission to trigger a connection to an attacker-specified server, leading to a server-side request forgery (SSRF) vulnerability. Affected versions are all versions prior to the fix released in the Jenkins Security Advisory on 2019-04-03 [1][3].
Exploitation
An attacker needs at least Overall/Read permission in Jenkins. By sending a crafted request to the doValidate endpoint with a malicious URL, the Jenkins controller makes an outgoing connection to that server. No additional user interaction is required [1].
Impact
Successful exploitation allows an attacker to use the Jenkins controller to make requests to internal or external systems, potentially scanning internal networks or accessing services that are otherwise protected. This is a classic SSRF vulnerability [3].
Mitigation
The Jenkins Security Advisory 2019-04-03 provides a fix for this vulnerability. Users should upgrade the openid Plugin to the latest version. The plugin's GitHub page also notes the vulnerability and the need for updating [1][4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:openidMaven | < 2.4 | 2.4 |
Affected products
2- Range: all versions as of 2019-04-03
Patches
15a91a74a94e4require post and admin - SECURITY-1084 / CVE-2019-1003098 (CSRF) and CVE-2019-1003099 (permission check)
1 file changed · +7 −1
src/main/java/hudson/plugins/openid/OpenIdSsoSecurityRealm.java+7 −1 modified@@ -46,6 +46,7 @@ import org.kohsuke.stapler.QueryParameter; import org.kohsuke.stapler.Stapler; import org.kohsuke.stapler.StaplerRequest; +import org.kohsuke.stapler.interceptor.RequirePOST; import org.openid4java.OpenIDException; import org.openid4java.consumer.ConsumerException; import org.openid4java.consumer.ConsumerManager; @@ -219,7 +220,12 @@ public String getDisplayName() { return "OpenID SSO"; } - public FormValidation doValidate(@QueryParameter String endpoint) { + @RequirePOST + public FormValidation doValidate(@QueryParameter String endpoint) throws Exception { + if (!Jenkins.getActiveInstance().hasPermission(Jenkins.ADMINISTER)) { + // require admin to test + return FormValidation.ok(); + } try { new Discovery().discover(endpoint); return FormValidation.ok("OK");
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-3f3p-qhfv-7p8hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-1003099ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/04/12/2ghsamailing-listx_refsource_MLISTWEB
- www.securityfocus.com/bid/107790ghsavdb-entryx_refsource_BIDWEB
- github.com/jenkinsci/openid-plugin/commit/5a91a74a94e44d87cd61afc2441aab42b7542bf0ghsaWEB
- jenkins.io/security/advisory/2019-04-03/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.