CVE-2019-10290
Description
Jenkins Netsparker Cloud Scan Plugin ≤1.1.5 lacks a permission check in a validation method, allowing Overall/Read users to probe arbitrary servers from the Jenkins controller.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Netsparker Cloud Scan Plugin ≤1.1.5 lacks a permission check in a validation method, allowing Overall/Read users to probe arbitrary servers from the Jenkins controller.
Vulnerability
Overview
A missing permission check in the NCScanBuilder.DescriptorImpl#doValidateAPI form validation method of the Jenkins Netsparker Cloud Scan Plugin (version 1.1.5 and earlier) allows attackers with only Overall/Read permission to initiate a connection to an attacker-specified server [1][3]. The method does not require any expanded permissions (such as Item/Configure) before performing the outbound connection, violating Jenkins' standard permission model for build-step configuration form validation.
Exploitation
Conditions
An attacker must have a valid Jenkins account with at least Overall/Read permission, which is typically granted to anonymous users in many default configurations or available to any authenticated user. No other privileges are necessary. The attacker can craft a request to the vulnerable form validation endpoint specifying an arbitrary host and port. The Jenkins controller will then attempt an outbound connection (e.g., HTTP or TCP) to that attacker-chosen destination [1]. This does not require any victim interaction beyond the attacker's own API call.
Impact
Successful exploitation enables an attacker to use the Jenkins controller as a reconnaissance platform. By observing connection results (timeouts, successes, error messages) the attacker can map internal network services, determine whether specific hosts are reachable, and potentially identify active services. This can lead to further network-based attacks and information disclosure about the internal network topology [1][3]. The vulnerability does not directly allow credential theft or remote code execution, but it provides a foothold for deeper attacks.
Mitigation
Status
Jenkins released Netsparker Cloud Scan Plugin version 1.1.6, which adds the missing permission check, requiring Item/Configure permission for the doValidateAPI method [1]. Users are strongly advised to upgrade to this version or later. Jenker's security advisory lists this CVE under SECURITY-1032, affecting multiple plugins, and the Netsparker Cloud Scan Plugin was one of several plugins fixed in that April 2019 advisory [1][2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:netsparker-cloud-scanMaven | < 1.1.6 | 1.1.6 |
Affected products
2- Range: 1.1.5 and older
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-whcg-2364-672fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10290ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/04/12/2ghsamailing-listx_refsource_MLISTWEB
- www.securityfocus.com/bid/107790ghsavdb-entryx_refsource_BIDWEB
- jenkins.io/security/advisory/2019-04-03/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.