VYPR
← All advisories
Moderate severityNVD Advisory· Published Apr 30, 2019· Updated Aug 4, 2024

CVE-2019-10307

CVE-2019-10307

Description

Cross-site request forgery in Jenkins Static Analysis Utilities Plugin allowed attackers to change default graph configuration for all users.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site request forgery in Jenkins Static Analysis Utilities Plugin allowed attackers to change default graph configuration for all users.

A cross-site request forgery (CSRF) vulnerability exists in Jenkins Static Analysis Utilities Plugin (formerly known as analysis-core Plugin) versions 1.95 and earlier. The vulnerability is located in the DefaultGraphConfigurationView#doSave form handler method, which did not require POST requests, making it susceptible to CSRF attacks [1]. Additionally, the handler lacked proper permission checks, allowing users with only Job/Read access to change configuration [1].

To exploit this vulnerability, an attacker could craft a malicious link or form submission that, when clicked or submitted by an authenticated Jenkins user, triggers a state-changing request to the vulnerable endpoint. The attacker does not need special privileges beyond being able to trick a legitimate user into performing the action. The victim must have at least Job/Read access on the target job for the attack to succeed [1].

Successful exploitation allows an attacker to modify the per-job default graph configuration for all users. This could alter how static analysis results are displayed, potentially misleading users or causing a denial of service by corrupting the display settings [1][2]. The impact is limited to configuration changes and does not lead to direct code execution or data breach.

The vulnerability has been addressed in Static Analysis Utilities Plugin version 1.96, which now requires both Job/Configure permission and POST requests to configure per-job graph defaults [3]. Users are strongly advised to upgrade to the latest version. As of the advisory date, no workaround is available other than disabling the plugin [1].

References
  1. Jenkins Security Advisory 2019-04-30
  2. NVD - CVE-2019-10307
  3. security - Multiple vulnerabilities in Jenkins plugins

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.jvnet.hudson.plugins:analysis-coreMaven
< 1.961.96

Affected products

2

Patches

1
3d7a0c7907d8

[SECURITY-1100]

https://github.com/jenkinsci/analysis-core-pluginDaniel BeckApr 28, 2019via ghsa
commit
3 files changed · +19 2
  • src/main/java/hudson/plugins/analysis/graph/DefaultGraphConfigurationView.java+16 1 modified
    @@ -5,6 +5,7 @@
 import java.io.IOException;

 

 import org.apache.commons.io.IOUtils;

+import org.kohsuke.stapler.StaplerProxy;

 import org.kohsuke.stapler.StaplerRequest;

 import org.kohsuke.stapler.StaplerResponse;

 

@@ -13,11 +14,12 @@
 

 import hudson.plugins.analysis.Messages;

 import hudson.plugins.analysis.core.BuildHistory;

+import org.kohsuke.stapler.interceptor.RequirePOST;

 

 /**

  * Configures the default values for the trend graph of this plug-in.

  */

-public class DefaultGraphConfigurationView extends GraphConfigurationView {

+public class DefaultGraphConfigurationView extends GraphConfigurationView implements StaplerProxy {

     private final String url;

 

     /**

@@ -42,6 +44,13 @@ public DefaultGraphConfigurationView(final GraphConfiguration configuration, fin
         configuration.initializeFromFile(createDefaultsFile(job, pluginName));

     }

 

+    @RequirePOST

+    @Override

+    public void doSave(StaplerRequest request, StaplerResponse response) {

+        getOwner().checkPermission(Job.CONFIGURE);

+        super.doSave(request, response);

+    }

+

     /**

      * Creates a new instance of {@link DefaultGraphConfigurationView}.

      *

@@ -132,5 +141,11 @@ protected void persistValue(final String value, final String pluginName, final S
             output.close();

         }

     }

+

+    @Override

+    public Object getTarget() {

+        getOwner().checkPermission(Job.CONFIGURE);

+        return this;

+    }

 }
  • src/main/java/hudson/plugins/analysis/graph/GraphConfigurationView.java+2 0 modified
    @@ -24,6 +24,7 @@
 import hudson.plugins.analysis.core.AbstractHealthDescriptor;
 import hudson.plugins.analysis.core.BuildHistory;
 import hudson.util.Graph;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 
 /**
  * Configuration properties of a trend graph.
@@ -169,6 +170,7 @@ public String getKey() {
      * @param response
      *            Stapler response
      */
+    @RequirePOST
     public void doSave(final StaplerRequest request, final StaplerResponse response) {
         try {
             JSONObject formData = request.getSubmittedForm();
  • src/main/resources/hudson/plugins/analysis/graph/GraphConfigurationView/index.jelly+1 1 modified
    @@ -2,7 +2,7 @@
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define"

   xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form"

   xmlns:i="jelly:fmt" xmlns:u="/util">

-  <l:layout norefresh="true">

+  <l:layout norefresh="true"><!-- no permission check because UserGraphConfigurationView exists -->

     <st:include it="${it.owner}" page="sidepanel.jelly" />

     <l:main-panel>

       <f:form method="post" action="save" name="Save">

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.