CVE-2019-10326

Vulnerability

CVE-2019-10326 is a cross-site request forgery (CSRF) vulnerability in the Jenkins Warnings Next Generation Plugin (warnings-ng) versions 5.0.0 and earlier. The plugin did not require that requests sent to the endpoint used to reset warning counts use the HTTP POST method, leaving it vulnerable to CSRF attacks [2].

Exploitation

An attacker can exploit this vulnerability by tricking an authenticated Jenkins user into visiting a maliciously crafted web page or link. No special privileges are required beyond the user having access to the Jenkins instance; the CSRF attack can be performed without the need for authentication on the attacker's part. The vulnerable endpoint, used to reset warning counts, accepts GET requests, which can be triggered by a cross-site request [1][2].

Impact

Successful exploitation allows an attacker to reset the warning counts for future builds. This can cause a loss of warning history, potentially hiding new warnings introduced in subsequent builds and undermining the monitoring and alerting capabilities of the plugin. The integrity of build analysis data is compromised [2][3].

Mitigation

The vulnerability is fixed in Warnings Next Generation Plugin version 5.1.0, released on 2019-05-31. The fix requires that all requests to the reset endpoint are sent via HTTP POST, which prevents CSRF attacks. Users should upgrade to version 5.1.0 or later immediately. There are no known workarounds [1][3][4].