CVE-2019-10278
Description
CSRF in Jenkins jenkins-reviewbot Plugin allows attackers to initiate connections to attacker-specified servers via the ReviewboardDescriptor#doTestConnection form validation method.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSRF in Jenkins jenkins-reviewbot Plugin allows attackers to initiate connections to attacker-specified servers via the ReviewboardDescriptor#doTestConnection form validation method.
Vulnerability
A cross-site request forgery (CSRF) vulnerability exists in the Jenkins jenkins-reviewbot Plugin in the ReviewboardDescriptor#doTestConnection form validation method. This flaw allows an attacker to trick a Jenkins administrator or user with appropriate permissions into submitting a forged request, causing the Jenkins controller to initiate a connection to an attacker-specified server. The issue affects versions of the plugin prior to the fix included in the Jenkins Security Advisory 2019-04-03 [1].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious web page or link that, when visited by an authenticated Jenkins user (typically an administrator), triggers a CSRF request to the Jenkins controller. The attacker does not require direct network access to the Jenkins instance; instead, they rely on the victim's browser to send the forged request. The request targets the doTestConnection endpoint, and the attacker can specify a server address (e.g., their own host) to which the Jenkins controller will attempt a connection. No special authentication or write access is needed beyond tricking a valid user [1][3].
Impact
Successful exploitation enables an attacker to force the Jenkins controller to connect to an arbitrary server that the attacker controls. This can be used for reconnaissance (e.g., probing internal networks), exfiltration of data if the connection carries information, or as part of a larger attack chain. The vulnerability itself does not directly lead to code execution or data theft on the Jenkins controller, but it provides a means to abuse Jenkins' network connectivity [1].
Mitigation
Jenkins released a security advisory on 2019-04-03 that includes a fix for this vulnerability. Users should update the jenkins-reviewbot Plugin to the latest version available as of that date. No additional workarounds are documented in the provided references; if a patch is not applied, administrators should restrict access to the Jenkins web interface and ensure only trusted users can interact with it [1][3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:jenkins-reviewbotMaven | <= 2.4.6 | — |
Affected products
2- Range: all versions as of 2019-04-03
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-g3rg-cj5x-3vpfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10278ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/04/12/2ghsamailing-listx_refsource_MLISTWEB
- www.securityfocus.com/bid/107790ghsavdb-entryx_refsource_BIDWEB
- jenkins.io/security/advisory/2019-04-03/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.