4.2

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-10310

GHSA ID

GHSA-vrvm-459q-j824

EPSS Score

0.363%

CWE

CWE-352

Published

5/24/2022

Updated

10/26/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-10310

CVE-2019-10310: Jenkins Ansible Tower Plugin cross-site request forgery vulnerability

Jenkins Ansible Tower Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.

This form validation method now requires POST requests and Overall/Administer permissions.

(GitHub Advisory)

4.2

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-10310

GHSA ID

GHSA-vrvm-459q-j824

EPSS Score

0.363%

CWE

CWE-352

Published

5/24/2022

Updated

10/26/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:ansible-tower	maven	<= 0.9.1	0.9.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability centers on two methods in TowerInstallationDescriptor:

doTestTowerConnection - Directly handles connection validation without proper authz checks or CSRF protection, as shown in exploit examples
doFillTowerCredentialsIdItems - Enables credential ID enumeration prerequisite for exploitation Both are explicitly named in vulnerability reports and required security fixes (POST enforcement + permission elevation). The Java package structure follows Jenkins plugin conventions, with descriptor methods being entry points for web requests.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *nsi*l* Tow*r Plu*in *i* not p*r*orm p*rmission ****ks on * m*t*o* impl*m*ntin* *orm v*li**tion. T*is *llow** us*rs wit* Ov*r*ll/R*** ****ss to J*nkins to *onn**t to *n *tt**k*r-sp**i*i** URL usin* *tt**k*r-sp**i*i** *r***nti*ls I*s o*t*in**

Reasoning

T** vuln*r**ility **nt*rs on two m*t*o*s in Tow*rInst*ll*tion**s*riptor: *. *oT*stTow*r*onn**tion - *ir**tly **n*l*s *onn**tion v*li**tion wit*out prop*r *ut*z ****ks or *SR* prot**tion, *s s*own in *xploit *x*mpl*s *. *o*illTow*r*r***nti*lsI*It*ms

4.2

Basic Information

Concerned about an active attack path?

CVE-2019-10310: Jenkins Ansible Tower Plugin cross-site request forgery vulnerability

4.2

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI