CVE-2019-10387

Vulnerability

Description

The Jenkins XL TestView Plugin versions 1.2.0 and earlier contain a missing permission check in the XLTestView.XLTestDescriptor#doTestConnection method. This flaw allows users who have only the Overall/Read permission to trigger a connection to an attacker-specified URL using attacker-specified credential IDs. The credential IDs must be obtained through another method, such as a separate information disclosure vulnerability [1][2][3].

Exploitation

An attacker with Overall/Read access can exploit this by crafting a request to the doTestConnection endpoint, providing a malicious URL and a known credential ID. The plugin will then attempt to connect to that URL using the specified credential, effectively sending the stored credential (e.g., password, token) to the attacker-controlled server. No additional authentication is required beyond the initial Overall/Read permission [1][2].

Impact

Successful exploitation results in the capture of Jenkins-stored credentials, which can be leveraged for lateral movement or privilege escalation within the Jenkins environment. The vulnerability is rated as Medium severity in the Jenkins security advisory [1].

Mitigation

Users should update the XL TestView Plugin to a version that includes the fix (the advisory does not specify the fixed version, but the plugin is listed among those with unresolved issues as of the advisory date). No workaround is documented; upgrading is the recommended action [1][2].