CVE-2019-10408

Vulnerability

Overview

CVE-2019-10408 describes a cross-site request forgery (CSRF) vulnerability in the Jenkins Project Inheritance Plugin, versions 2.0.0 and earlier. The plugin's lack of CSRF protection on its project generation endpoint allows an attacker to trick a Jenkins user with appropriate permissions into unknowingly generating new projects from predefined templates [1]. This is a server-side request forgery or, more precisely, a lack of CSRF token validation, enabling unauthorized actions to be performed on behalf of an authenticated user.

Exploitation

Prerequisites and Attack Vector

To exploit this vulnerability, an attacker must craft a malicious web page or link that, when visited by an authenticated Jenkins user, sends a forged request to the Jenkins instance. The attack requires the target user to have the ability to manage or create projects in the Project Inheritance Plugin. No direct authentication is needed by the attacker, as the request is executed under the victim's session [2]. The attack is successful if the victim navigates to the malicious resource while logged into Jenkins.

Impact

Successful exploitation results in the generation of projects from templates without the user's consent or knowledge. This could lead to the creation of unauthorized Jenkins jobs, potentially altering the CI/CD pipeline or exposing sensitive build configurations. The impact is considered medium severity, as it requires user interaction and existing permissions, but it can lead to unauthorized modifications within the Jenkins environment [3].

Mitigation

The vulnerability is patched in Project Inheritance Plugin version 19.08.02, released on September 25, 2019. Users should update to this version or later. There are no known workarounds other than disabling the plugin if an immediate update is not possible [2].