1. Home
  2. Security Advisories
  3. Jenkins
  4. JENKINS:SECURITY-1033

[JENKINS:SECURITY-1033] SSRF vulnerability due to missing permission check in JMS Messaging Plugin

Severity Medium
Affected Packages 2
Fixed Packages 2
CVEs 1
Info Packages References Vulnerabilities

A missing permission check in a form validation method in JMS Messaging Plugin allowed users with Overall/Read permission to initiate a connection test, sending an HTTP request to an attacker-specified URL.

Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.

This form validation method now requires POST requests and performs a permission check.

Package Affected Version
pkg:maven/org.jenkins-ci.plugins/jms-messaging <= 1.1.1
pkg:github/jenkinsci/jms-messaging-plugin <= 1.1.1
Package Fixed Version
pkg:maven/org.jenkins-ci.plugins/jms-messaging = 1.1.2
pkg:github/jenkinsci/jms-messaging-plugin = 1.1.2
ID
JENKINS:SECURITY-1033
Severity
medium
Published
2019-02-19T00:00:00
(5 years ago)
Modified
2019-02-19T00:00:00
(5 years ago)
Rights
Jenkins Security Team
Other Advisories
Source # ID Name URL
Plugin repository jms-messaging repository https://github.com/jenkinsci/jms-messaging-plugin
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.jenkins-ci.plugins/jms-messaging org.jenkins-ci.plugins jms-messaging <= 1.1.1
Fixed pkg:maven/org.jenkins-ci.plugins/jms-messaging org.jenkins-ci.plugins jms-messaging = 1.1.2
Affected pkg:github/jenkinsci/jms-messaging-plugin jenkinsci jms-messaging-plugin <= 1.1.1
Fixed pkg:github/jenkinsci/jms-messaging-plugin jenkinsci jms-messaging-plugin = 1.1.2
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date