CVE-2019-16573

Vulnerability

Overview

A cross-site request forgery (CSRF) vulnerability exists in the Jenkins Alauda DevOps Pipeline Plugin, versions 2.3.2 and earlier. The plugin fails to require a CSRF-protected request when performing certain actions, allowing an attacker to trick a Jenkins user with sufficient permissions into executing unwanted operations.

Exploitation

Method

An attacker can craft a malicious web page or link that, when visited by an authenticated Jenkins user, triggers a crafted HTTP request to the vulnerable plugin endpoint. This request instructs Jenkins to connect to an attacker-specified URL using attacker-chosen credentials IDs. The attacker must already possess knowledge of valid credentials IDs stored in Jenkins, possibly obtained through another vulnerability or reconnaissance [1][2][3].

Impact

By exploiting this CSRF vulnerability, an attacker can force Jenkins to initiate outbound connections to arbitrary URLs using stored credentials. This can leak the actual credential values to an attacker-controlled server, compromising all secrets managed by Jenkins that are tied to the known credential IDs. The attack does not require the attacker to have direct access to Jenkins but relies on a user with appropriate permissions being tricked into performing the action [1][2][3].

Mitigation

Status

As of the advisory publication date (2019-12-17), the vulnerability remains unpatched. Jenkins reports that the Alauda DevOps Pipeline Plugin is among several plugins with unresolved security issues; no fixed version is listed in the advisory. Users are advised to disable the plugin or apply workarounds such as restricting access to Jenkins or using a reverse proxy to add CSRF protection if possible, pending an official patch [1][2].