5.4

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-10338

GHSA ID

GHSA-qww5-p626-rfpf

EPSS Score

0.27945%

CWE

CWE-352

Published

5/24/2022

Updated

10/26/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-10338

CVE-2019-10338:
Jenkins JX Resources Plugin cross-site request forgery vulnerability

Jenkins jx-resources Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified Kubernetes server and obtain information about an attacker-specified namespace. Doing so might also leak service account credentials used for the connection. Additionally, it allowed attackers to obtain the value of any attacker-specified environment variable for the Jenkins controller process.

Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.

This form validation method now requires POST requests and Overall/Administer permissions.

(GitHub Advisory)

5.4

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-10338

GHSA ID

GHSA-qww5-p626-rfpf

EPSS Score

0.27945%

CWE

CWE-352

Published

5/24/2022

Updated

10/26/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:jx-resources	maven	<= 1.0.36	1.0.37

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability centers on a form validation endpoint that was missing both CSRF protection (allowing GET requests) and proper authorization. Multiple sources explicitly name GlobalPluginConfiguration#doValidateClient as the vulnerable method:

NVD description directly references this method
Jenkins advisory states 'form validation method did not require POST requests'
CVE-2019-10338 is specifically mapped to this method in both GHSA and CVE records

This method would appear in runtime profiling when attackers trigger the CSRF exploit, as it's the entry point for the vulnerable validation logic that connects to external Kubernetes servers and reads environment variables.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins jx-r*sour**s Plu*in *i* not p*r*orm p*rmission ****ks on * m*t*o* impl*m*ntin* *orm v*li**tion. T*is *llow** us*rs wit* Ov*r*ll/R*** ****ss to J*nkins to *onn**t to *n *tt**k*r-sp**i*i** Ku**rn*t*s s*rv*r *n* o*t*in in*orm*tion **out *n *tt**

Reasoning

T** vuln*r**ility **nt*rs on * *orm v*li**tion *n*point t**t w*s missin* *ot* *SR* prot**tion (*llowin* **T r*qu*sts) *n* prop*r *ut*oriz*tion. Multipl* sour**s *xpli*itly n*m* *lo**lPlu*in*on*i*ur*tion#*oV*li**t**li*nt *s t** vuln*r**l* m*t*o*: *. N

5.4

Basic Information

Concerned about an active attack path?

CVE-2019-10338: Jenkins JX Resources Plugin cross-site request forgery vulnerability

5.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2019-10338:
Jenkins JX Resources Plugin cross-site request forgery vulnerability

Vulnerability Intelligence
Miggo AI