CVE-2019-10331
Description
A cross-site request forgery vulnerability in Jenkins ElectricFlow Plugin 1.1.5 and earlier in Configuration#doTestConnection allowed attackers to connect to an attacker-specified URL using attacker-specified credentials.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSRF in Jenkins ElectricFlow Plugin <=1.1.5 allowed attackers to make Jenkins connect to attacker-controlled URLs with attacker-specified credentials.
Vulnerability
Overview
CVE-2019-10331 is a cross-site request forgery (CSRF) vulnerability in the Jenkins ElectricFlow Plugin versions 1.1.5 and earlier. The doTestConnection method in the Configuration class did not require POST requests or perform any CSRF token validation, allowing attackers to trick Jenkins users into executing unintended actions [2].
Exploitation
To exploit this vulnerability, an attacker must craft a malicious web page or link that, when visited by an authenticated Jenkins user with sufficient permissions (Overall/Read access), triggers a request to the Jenkins server. This request causes the vulnerable method to connect to an attacker-specified URL using attacker-supplied credentials [2]. No additional authentication is required beyond the victim's session.
Impact
Successful exploitation enables an attacker to perform server-side request forgery (SSRF) attacks. The attacker can make Jenkins connect to internal or external resources, potentially accessing sensitive data or services that are otherwise inaccessible. Additionally, the attacker-controlled credentials could be used to authenticate to other systems if leaked [2].
Mitigation
The vulnerability has been fixed in ElectricFlow Plugin version 1.1.7 [3]. Users are strongly advised to upgrade to the latest version. No workarounds are documented. This CVE is listed as part of a broader security advisory affecting multiple Jenkins plugins [2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:electricflowMaven | < 1.1.7 | 1.1.7 |
Affected products
2- Jenkins project/Jenkins ElectricFlow Pluginv5Range: 1.1.5 and earlier
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-76x4-hr82-cg3mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10331ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/06/11/1ghsamailing-listx_refsource_MLISTWEB
- www.securityfocus.com/bid/108747mitrevdb-entryx_refsource_BID
- jenkins.io/security/advisory/2019-06-11/mitrex_refsource_CONFIRM
- jenkins.io/security/advisory/2019-06-11/ghsaWEB
- web.archive.org/web/20200227033720/http://www.securityfocus.com/bid/108747ghsaWEB
News mentions
0No linked articles in our index yet.