CVE-2019-10308
Description
Missing permission check in Jenkins Static Analysis Utilities Plugin allows attackers with Overall/Read permission to alter default graph configuration.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing permission check in Jenkins Static Analysis Utilities Plugin allows attackers with Overall/Read permission to alter default graph configuration.
Vulnerability
A missing permission check in Jenkins Static Analysis Utilities Plugin (also known as the analysis-core Plugin) versions 1.95 and earlier, specifically in the DefaultGraphConfigurationView#doSave form handler method [1], allows attackers with Overall/Read permission to change the per-job default graph configuration for all users [2]. The plugin provides configuration forms for default settings of trend graphs used by other plugins for static analysis results, and neither the configuration page nor the form submission handler performed a permission check [1][3].
Exploitation
An attacker with Overall/Read permission can send a crafted request to the doSave endpoint, which did not require POST requests, making it also exploitable via a cross-site request forgery (CSRF) attack (CVE-2019-10307) [1]. The attacker does not need Job/Configure permission; any user with Read access can modify the default graph configuration for all users of a specific job [1][2].
Impact
Successful exploitation allows the attacker to alter the default graph configuration for all users viewing that job’s trend graphs, potentially leading to misleading or unauthorized display of analysis results, though limited to the graph defaults (no direct file write or RCE) [1][2].
Mitigation
The vulnerability is fixed in Jenkins Static Analysis Utilities Plugin version 1.96, released on 2019-04-30 [1][3]. The fix adds Job/Configure permission checks and @RequirePOST to the doSave method, also addressing the CSRF component [1][4]. Users should update to version 1.96 or later; no workarounds are available for versions 1.95 and earlier.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jvnet.hudson.plugins:analysis-coreMaven | < 1.96 | 1.96 |
Affected products
2- Range: 1.95 and earlier
Patches
13d7a0c7907d8[SECURITY-1100]
3 files changed · +19 −2
src/main/java/hudson/plugins/analysis/graph/DefaultGraphConfigurationView.java+16 −1 modified@@ -5,6 +5,7 @@ import java.io.IOException; import org.apache.commons.io.IOUtils; +import org.kohsuke.stapler.StaplerProxy; import org.kohsuke.stapler.StaplerRequest; import org.kohsuke.stapler.StaplerResponse; @@ -13,11 +14,12 @@ import hudson.plugins.analysis.Messages; import hudson.plugins.analysis.core.BuildHistory; +import org.kohsuke.stapler.interceptor.RequirePOST; /** * Configures the default values for the trend graph of this plug-in. */ -public class DefaultGraphConfigurationView extends GraphConfigurationView { +public class DefaultGraphConfigurationView extends GraphConfigurationView implements StaplerProxy { private final String url; /** @@ -42,6 +44,13 @@ public DefaultGraphConfigurationView(final GraphConfiguration configuration, fin configuration.initializeFromFile(createDefaultsFile(job, pluginName)); } + @RequirePOST + @Override + public void doSave(StaplerRequest request, StaplerResponse response) { + getOwner().checkPermission(Job.CONFIGURE); + super.doSave(request, response); + } + /** * Creates a new instance of {@link DefaultGraphConfigurationView}. * @@ -132,5 +141,11 @@ protected void persistValue(final String value, final String pluginName, final S output.close(); } } + + @Override + public Object getTarget() { + getOwner().checkPermission(Job.CONFIGURE); + return this; + } }
src/main/java/hudson/plugins/analysis/graph/GraphConfigurationView.java+2 −0 modified@@ -24,6 +24,7 @@ import hudson.plugins.analysis.core.AbstractHealthDescriptor; import hudson.plugins.analysis.core.BuildHistory; import hudson.util.Graph; +import org.kohsuke.stapler.interceptor.RequirePOST; /** * Configuration properties of a trend graph. @@ -169,6 +170,7 @@ public String getKey() { * @param response * Stapler response */ + @RequirePOST public void doSave(final StaplerRequest request, final StaplerResponse response) { try { JSONObject formData = request.getSubmittedForm();
src/main/resources/hudson/plugins/analysis/graph/GraphConfigurationView/index.jelly+1 −1 modified@@ -2,7 +2,7 @@ <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form" xmlns:i="jelly:fmt" xmlns:u="/util"> - <l:layout norefresh="true"> + <l:layout norefresh="true"><!-- no permission check because UserGraphConfigurationView exists --> <st:include it="${it.owner}" page="sidepanel.jelly" /> <l:main-panel> <f:form method="post" action="save" name="Save">
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-vvfj-p4jf-j8rmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10308ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/04/30/5ghsamailing-listx_refsource_MLISTWEB
- www.securityfocus.com/bid/108159ghsavdb-entryx_refsource_BIDWEB
- github.com/jenkinsci/analysis-core-plugin/commit/3d7a0c7907d831c58541508b893dcea2039809c5ghsaWEB
- jenkins.io/security/advisory/2019-04-30/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.