CVE-2019-1003008

Name of the Vulnerable Software and Affected Versions: Jenkins Warnings Next Generation Plugin versions 2.1.1 and earlier

Description: A cross-site request forgery issue exists that allows attackers to execute arbitrary code via a form validation HTTP endpoint. The endpoint, used to validate a Groovy script through compilation, was not subject to sandbox protection and did not require POST requests, making it vulnerable to cross-site request forgery. This allowed attackers to execute arbitrary code on the Jenkins controller by applying AST transforming annotations such as @Grab to source code elements.

Recommendations: For Jenkins Warnings Next Generation Plugin versions 2.1.1 and earlier, update the plugin to a version that applies a safe Groovy compiler configuration, preventing the use of unsafe AST transforming annotations, and requires form validation requests to be sent via POST to prevent cross-site request forgery.