Miggo Logo
Miggo Vulnerability Database
CVE-2019-10437

CVE-2019-10437: Jenkins CRX Content Package Deployer Plugin subject to Cross-Site Request Forgery

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-10437
GHSA ID
GHSA-62fp-j75q-mqhc
EPSS Score
0.27186%
CWE
CWE-352
Published
5/24/2022
Updated
10/26/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:crx-content-package-deployermaven< 1.91.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from form validation methods in multiple builder classes that did not enforce POST requests (via @RequirePOST) or validate user permissions (Item.CONFIGURE). The GitHub advisory explicitly states these methods were vulnerable to CSRF and missing permission checks. The commit 1313c422170a064dab0f9359324ff27e30a9f4a5 adds both @RequirePOST annotations and checkPermission calls to these methods, confirming their pre-patch vulnerability. The high confidence comes from direct correlation between advisory descriptions, CWE-352, and the patched code changes.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *ross-sit* r*qu*st *or**ry vuln*r**ility in J*nkins *RX *ont*nt P**k*** **ploy*r Plu*in prior to *.* *llow** *tt**k*rs to *onn**t to *n *tt**k*r-sp**i*i** URL usin* *tt**k*r-sp**i*i** *r***nti*ls I*s o*t*in** t*rou** *not**r m*t*o*, **pturin* *r***

Reasoning

T** vuln*r**ility st*ms *rom *orm v*li**tion m*t*o*s in multipl* *uil**r *l*ss*s t**t *i* not *n*or** POST r*qu*sts (vi* @R*quir*POST) or `v*li**t*` us*r p*rmissions (`It*m.*ON*I*UR*`). T** *it*u* **visory *xpli*itly st*t*s t**s* m*t*o*s w*r* vuln*r*