CVE-2019-16565

Description

The Jenkins Team Concert Plugin version 1.3.0 and earlier contains a cross-site request forgery (CSRF) vulnerability. This flaw allows an attacker to trick a Jenkins user with sufficient permissions into making unintended requests. The plugin fails to require a valid CSRF token in its form validation or connection test methods [1][2].

Exploitation

An attacker can exploit this vulnerability by first obtaining valid credentials IDs through another method (e.g., via a separate information disclosure vulnerability). Using these IDs, the attacker can craft a malicious request that connects to an attacker-specified URL. The attack requires the victim to have access to Jenkins and be authenticated; the attacker must also socially engineer the victim into interacting with a crafted link or page [3].

Impact

Successful exploitation allows the attacker to connect to an arbitrary URL using stolen credentials. This can lead to credential capture, as the Jenkins controller may transmit stored credentials to the attacker-controlled endpoint. The confidentiality of Jenkins-managed credentials is at risk, potentially compromising connected systems and sensitive data [1][3].

Mitigation

As of the advisory, no fix was available for the Team Concert Plugin. Jenkins recommended users to avoid using the plugin until a patched version is released [1][2]. Users should monitor for updates and apply them as soon as they become available.