CVE-2019-16566

Vulnerability

Description CVE-2019-16566 is a missing permission check in the Jenkins Team Concert Plugin versions 1.3.0 and earlier. The plugin fails to validate whether a user has the required permissions to perform certain actions that involve connecting to an external URL using attacker-specified credential IDs. This allows attackers with at least Overall/Read permission to exploit the issue, provided they have obtained a valid credential ID through another vulnerability or method [1][4].

Exploitation

An attacker can craft a request to a form validation endpoint or similar functionality that does not enforce proper authorization. By supplying a malicious URL and a known credential ID, the plugin will initiate a connection to the specified server, sending the stored credentials in the process. The attack does not require full administrative access, only Overall/Read, which is a relatively low privilege level in Jenkins [3].

Impact

Successful exploitation allows an attacker to capture credentials stored in Jenkins, such as passwords, tokens, or other secrets. This can lead to further compromise of Jenkins-integrated systems and services, as the stolen credentials may provide elevated access [4].

Mitigation

Status As of the advisory publication date (2019-12-17), no fix was available for the Team Concert Plugin. The plugin is listed among those with unresolved security issues, and users are advised to restrict access to Jenkins or disable the plugin if possible [1][3].