CVE-2019-10292

The Kmap Plugin for Jenkins contains a cross-site request forgery (CSRF) vulnerability in the KmapJenkinsBuilder.DescriptorImpl form validation methods. This flaw allows an attacker to trick a Jenkins user into making an unintended request, leveraging the user's authenticated session. As a result, the attacker can force Jenkins to initiate a connection to an arbitrary server they control [3].

Exploitation requires no authentication beyond the victim's session, and the attacker does not need prior access to Jenkins. The attack is performed by crafting a malicious link or form that, when clicked or submitted by an authenticated user, triggers the vulnerable form validation endpoint. This can lead to the leakage of sensitive information or be used as a stepping stone for further attacks.

The impact is largely limited to unauthorized outbound connections from the Jenkins controller, but it could enable data exfiltration or pivoting to internal systems. Jenkins addressed this issue in their 2019-04-03 security advisory [1].