VYPR
← All advisories
Moderate severityNVD Advisory· Published Jul 31, 2019· Updated Aug 4, 2024

CVE-2019-10344

CVE-2019-10344

Description

Missing permission checks in Jenkins Configuration as Code Plugin 1.24 and earlier in various HTTP endpoints allowed users with Overall/Read access to access the generated schema and documentation for this plugin containing detailed information about installed plugins.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins Configuration as Code Plugin 1.24 and earlier lacked permission checks on HTTP endpoints, allowing Overall/Read users to view generated schema and documentation of installed plugins.

Missing

Permission Check in Configuration as Code Plugin

Jenkins Configuration as Code Plugin versions 1.24 and earlier contained missing permission checks in various HTTP endpoints. These endpoints exposed the generated schema and documentation for the plugin, which contain detailed information about installed plugins. The issue was identified as SECURITY-1290 and affects all plugin versions prior to 1.25 [1][3].

The attack surface is accessible to any authenticated user with Overall/Read permission, a default permission granted to most authenticated users. The affected HTTP endpoints did not enforce the required Jenkins.ADMINISTER permission, allowing users with read-only access to retrieve sensitive configuration schema and documentation. This can be exploited remotely over the network without any special prerequisites beyond a valid Jenkins account with read access [1][2].

The impact is information disclosure: an attacker gains detailed insight into the installed plugins, their configuration parameters, and possibly the plugin schema itself. While this does not directly allow code execution or data modification, it can significantly aid in planning further attacks by revealing the plugin landscape and potential weaknesses [1][3].

The vulnerability has been addressed in Configuration as Code Plugin version 1.25, which adds proper permission checks (Jenkins.ADMINISTER) to the doReference and doSchema endpoints [4]. Users are advised to upgrade to version 1.25 or later. There is no workaround available beyond restricting Overall/Read access, which is often not feasible in multi-user Jenkins deployments [1][2].

References
  1. Jenkins Security Advisory 2019-07-31
  2. security - Multiple vulnerabilities in Jenkins plugins
  3. NVD - CVE-2019-10344
  4. [SECURITY-1290] · jenkinsci/configuration-as-code-plugin@1c531c1

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
io.jenkins:configuration-as-codeMaven
< 1.251.25

Affected products

2

Patches

1
1c531c1a46fc

[SECURITY-1290]

https://github.com/jenkinsci/configuration-as-code-pluginEvaristo GutiérrezJul 29, 2019via ghsa
commit
2 files changed · +69 0
  • plugin/src/main/java/io/jenkins/plugins/casc/ConfigurationAsCode.java+18 0 modified
    @@ -414,6 +414,24 @@ public void doViewExport(StaplerRequest req, StaplerResponse res) throws Excepti
         req.getView(this, "viewExport.jelly").forward(req, res);
     }
 
+    public void doReference(StaplerRequest req, StaplerResponse res) throws Exception {
+        if (!Jenkins.getInstance().hasPermission(Jenkins.ADMINISTER)) {
+            res.sendError(HttpServletResponse.SC_FORBIDDEN);
+            return;
+        }
+
+        req.getView(this, "reference.jelly").forward(req, res);
+    }
+
+    public void doSchema(StaplerRequest req, StaplerResponse res) throws Exception {
+        if (!Jenkins.getInstance().hasPermission(Jenkins.ADMINISTER)) {
+            res.sendError(HttpServletResponse.SC_FORBIDDEN);
+            return;
+        }
+
+        req.getView(this, "schema.jelly").forward(req, res);
+    }
+
     @Restricted(NoExternalUse.class)
     public void export(OutputStream out) throws Exception {
  • plugin/src/test/java/io/jenkins/plugins/casc/Security1290Test.java+51 0 added
    @@ -0,0 +1,51 @@
+package io.jenkins.plugins.casc;
+
+import com.gargoylesoftware.htmlunit.HttpMethod;
+import com.gargoylesoftware.htmlunit.WebRequest;
+import io.jenkins.plugins.casc.misc.JenkinsConfiguredWithCodeRule;
+import java.io.IOException;
+import java.net.HttpURLConnection;
+import java.net.URL;
+import jenkins.model.Jenkins;
+import org.junit.Rule;
+import org.junit.Test;
+import org.jvnet.hudson.test.JenkinsRule;
+import org.jvnet.hudson.test.MockAuthorizationStrategy;
+
+import static org.junit.Assert.assertEquals;
+
+public class Security1290Test {
+
+    @Rule
+    public JenkinsConfiguredWithCodeRule j = new JenkinsConfiguredWithCodeRule();
+
+    @Test
+    public void configurationAsCodePagesPermissions() throws Exception {
+        final String ADMIN = "admin";
+        final String USER = "user";
+
+        j.jenkins.setCrumbIssuer(null);
+        j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
+        j.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy()
+                .grant(Jenkins.ADMINISTER).everywhere().to(ADMIN)
+                .grant(Jenkins.READ).everywhere().to(USER)
+        );
+
+        JenkinsRule.WebClient adminWc = j.createWebClient();
+        adminWc.login(ADMIN);
+
+        JenkinsRule.WebClient userWc = j.createWebClient()
+                .withThrowExceptionOnFailingStatusCode(false);
+        userWc.login(USER);
+
+        assertRightPermissionConfigurations("configuration-as-code/schema", adminWc, userWc);
+        assertRightPermissionConfigurations("configuration-as-code/reference", adminWc, userWc);
+    }
+
+    private void assertRightPermissionConfigurations(String relativeUrl, JenkinsRule.WebClient adminWc, JenkinsRule.WebClient userWc) throws IOException {
+        WebRequest request = new WebRequest(new URL(j.getURL() + relativeUrl), HttpMethod.GET);
+
+        assertEquals(HttpURLConnection.HTTP_OK, adminWc.getPage(request).getWebResponse().getStatusCode());
+        assertEquals(HttpURLConnection.HTTP_FORBIDDEN, userWc.getPage(request).getWebResponse().getStatusCode());
+    }
+}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.