CVE-2019-10386

Vulnerability

Overview

CVE-2019-10386 is a cross-site request forgery (CSRF) vulnerability in the Jenkins XL TestView Plugin, versions 1.2.0 and earlier. The flaw resides in the XLTestView.XLTestDescriptor#doTestConnection method, which does not perform any CSRF protection checks. This allows an attacker to trick a Jenkins user with Overall/Read permissions into making an unintended HTTP request [1][2].

Exploitation

To exploit this vulnerability, an attacker must first obtain valid credential IDs from the Jenkins instance through another method (e.g., by exploiting a different flaw or through configuration exposure). The attacker then crafts a malicious web page or link that, when visited by an authenticated Jenkins user with Overall/Read access, triggers a request to the doTestConnection endpoint. This request uses the attacker-specified credential IDs and a URL controlled by the attacker [1][3].

Impact

Successful exploitation allows the attacker to connect to an arbitrary URL using the attacker-chosen credentials stored in Jenkins. This effectively captures those credentials, potentially leading to further compromise of the Jenkins environment or other systems reachable by the attacker's URL [1][2]. Users with only Overall/Read access are sufficient to trigger the attack, making the impact significant even for low-privileged users.

Mitigation

As of the Jenkins Security Advisory published on August 7, 2019, no fix was immediately available for the XL TestView Plugin. The advisory lists the plugin among those with unresolved security issues [1][2]. Users are advised to restrict Overall/Read access where possible and monitor for plugin updates. No workaround is mentioned for this specific vulnerability.