Miggo Logo

CVE-2019-10387: Missing permission check in Jenkins XL TestView Plugin

6.5

CVSS Score
3.1

Basic Information

EPSS Score
0.1451%
Published
5/24/2022
Updated
1/30/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.xebialabs.xlt.ci:xltestview-pluginmaven<= 1.2.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly identifies XLTestView.XLTestDescriptor#doTestConnection as the vulnerable method. The CWE-862 (Missing Authorization) aligns with the lack of permission checks in this form validation endpoint. Multiple sources (Jenkins advisory, CVE, GHSA) confirm this method's role in the exploit chain. While the exact file path is inferred from Java class naming conventions, the method's vulnerability is explicitly documented in all authoritative descriptions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* missin* p*rmission ****k in J*nkins XL T*stVi*w Plu*in *.*.* *n* **rli*r in XLT*stVi*w.XLT*st**s*riptor#*oT*st*onn**tion *llows us*rs wit* Ov*r*ll/R*** ****ss to *onn**t to *n *tt**k*r-sp**i*i** URL usin* *tt**k*r-sp**i*i** *r***nti*ls I*s o*t*in**

Reasoning

T** vuln*r**ility **s*ription *xpli*itly i**nti*i*s `XLT*stVi*w.XLT*st**s*riptor#*oT*st*onn**tion` *s t** vuln*r**l* m*t*o*. T** *W*-*** (Missin* *ut*oriz*tion) *li*ns wit* t** l**k o* p*rmission ****ks in t*is *orm v*li**tion *n*point. Multipl* sour