CVE-2019-10279

Vulnerability

The jenkins-reviewbot Plugin for Jenkins contains a missing permission check in the ReviewboardDescriptor#doTestConnection form validation method [1][3]. This flaw allows any user with the Overall/Read permission to trigger a connection to an attacker-specified server. The affected plugin versions are those prior to the fix released in response to this advisory; no specific version range is provided in the available references.

Exploitation

An attacker must have at least Overall/Read permission on the Jenkins instance. No additional authentication or user interaction is required beyond that. The attacker can craft a request to the doTestConnection endpoint, specifying an arbitrary server address. The Jenkins controller will then initiate a connection to that server, potentially allowing the attacker to probe internal networks or exfiltrate data via the response timing or error messages.

Impact

Successful exploitation enables an attacker to force the Jenkins controller to connect to an attacker-controlled server. This can be used for server-side request forgery (SSRF) attacks, allowing the attacker to scan internal services, interact with cloud metadata endpoints, or potentially leak sensitive information through the connection attempt. The attacker does not gain code execution or direct data access on the Jenkins controller, but the SSRF capability can be leveraged for further compromise.

Mitigation

The Jenkins Security Advisory 2019-04-03 [1] addresses this vulnerability. Users should update the jenkins-reviewbot Plugin to the latest version that includes the missing permission check. If an update is not immediately available, consider restricting Overall/Read permissions to trusted users only, or removing the plugin if it is not essential. No workaround is documented in the available references.