CVE-2019-1003016

Name of the Vulnerable Software and Affected Versions: Jenkins Job Import Plugin versions 2.1 and earlier

Description: A sensitive information exposure issue exists, allowing attackers with Overall/Read permission to have Jenkins connect to an attacker-specified URL using attacker-specified credentials IDs, capturing credentials stored in Jenkins. This is due to the plugin not checking user permissions on its API endpoint used to access remote Jenkins instances. The issue enables users with Overall/Read access to Jenkins to connect to an attacker-specified URL, potentially leading to credential capture.

Recommendations: For Jenkins Job Import Plugin versions 2.1 and earlier, update to version 3.0 or later, which will only access Jenkins instances using credentials defined in the global configuration. As a temporary workaround, consider restricting access to the plugin's API endpoint to minimize the risk of exploitation.