CVE-2019-10441
Description
CSRF in Jenkins iceScrum Plugin 1.1.5 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSRF in Jenkins iceScrum Plugin 1.1.5 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials.
Vulnerability
Overview
A cross-site request forgery (CSRF) vulnerability exists in the Jenkins iceScrum Plugin, versions 1.1.5 and earlier. The plugin's form validation methods lacked proper CSRF protection, specifically the doCheckUrl, doLoginCheck, and doOldLoginCheck endpoints were not annotated with @RequirePOST to enforce POST requests. Additionally, these methods did not perform permission checks, allowing any user with at least Overall/Read access to trigger them [1][2][4].
Exploitation
An attacker can craft a malicious web page that, when visited by an authenticated Jenkins user, sends a forged request to the Jenkins server. This request exploits the missing CSRF token and missing permission check to connect Jenkins to an attacker-specified URL using attacker-specified credentials. No special privileges beyond the victim's existing session are required to initiate the attack [1]. The attacker must rely on social engineering or other techniques to trick a user with access to the Jenkins instance into clicking a link or visiting a compromised site [2].
Impact
Successful exploitation allows the attacker to make Jenkins connect to an arbitrary URL with credentials of the attacker's choosing. This can be used to exfiltrate data, interact with internal systems, or perform actions on other services as if originating from the Jenkins server. The severity is rated Medium (CVSS 4.3) by the Jenkins project [1][2].
Mitigation
The vulnerability was fixed in commit 2e248f7e2cfc5deb2d796f9fbaf42d8ea33ccad4, which added @RequirePOST annotation to enforce POST requests and included permission checks (Jenkins.ADMINISTER) for the vulnerable endpoints [1][4]. Users should upgrade iceScrum Plugin to version 1.1.6 or later. No workaround is provided for earlier versions [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:icescrumMaven | < 1.1.6 | 1.1.6 |
Affected products
2- Range: 1.1.5 and earlier
Patches
12e248f7e2cfcfix SECURITY-1484
1 file changed · +4 −2
src/main/java/com/kagilum/plugins/icescrum/IceScrumProjectProperty.java+4 −2 modified@@ -23,6 +23,7 @@ import hudson.model.*; import hudson.util.FormValidation; import hudson.util.Secret; +import jenkins.model.Jenkins; import net.sf.json.JSONObject; import org.kohsuke.stapler.DataBoundConstructor; import org.kohsuke.stapler.QueryParameter; @@ -81,6 +82,7 @@ public String getDisplayName() { @RequirePOST public FormValidation doCheckUrl(@QueryParameter String value) { + Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER); if(IceScrumProjectSettings.isValidUrl(value)) return FormValidation.ok(); else @@ -90,7 +92,7 @@ public FormValidation doCheckUrl(@QueryParameter String value) { @RequirePOST public FormValidation doLoginCheck(@QueryParameter("icescrum.accessToken") final String accessToken, @QueryParameter("icescrum.url") final String url) throws IOException, ServletException { - + Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER); if(!IceScrumProjectSettings.isValidUrl(url)) return FormValidation.error(Messages.IceScrumProjectProperty_icescrum_error_url()); @@ -110,7 +112,7 @@ public FormValidation doLoginCheck(@QueryParameter("icescrum.accessToken") final public FormValidation doOldLoginCheck(@QueryParameter("icescrum.username") final String username, @QueryParameter("icescrum.password") final Secret password, @QueryParameter("icescrum.url") final String url) throws IOException, ServletException { - + Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER); if(!IceScrumProjectSettings.isValidUrl(url)) return FormValidation.error(Messages.IceScrumProjectProperty_icescrum_error_url());
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-rxvx-9wg5-qpwwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10441ghsaADVISORY
- github.com/jenkinsci/icescrum-plugin/commit/2e248f7e2cfc5deb2d796f9fbaf42d8ea33ccad4ghsaWEB
- jenkins.io/security/advisory/2019-10-16/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.