CVE-2019-1003016
Jenkins Job Import Plugin vulnerable to exposure of sensitive information
4.3
MEDIUM
CVSS 3.1
EPSS 0.16%
Description
Jenkins Job Import Plugin did not check user permissions on its API endpoint used to access remote Jenkins instances. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Job Import Plugin 3.0 will only access Jenkins instances using credentials defined in the global configuration.
How to fix CVE-2019-1003016
To remediate CVE-2019-1003016, upgrade the affected package to a fixed version below.
- —upgrade to 3.0 or later
Is CVE-2019-1003016 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 3.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |