CVE-2019-10438: Jenkins CRX Content Package Deployer Plugin subject to Missing Authorization
6.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.14756%
CWE
Published
5/24/2022
Updated
10/26/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.jenkins-ci.plugins:crx-content-package-deployer | maven | < 1.9 | 1.9 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from missing authorization checks in form validation handlers that: 1) Didn't verify Item.CONFIGURE
permissions 2) Allowed GET requests (CSRF) 3) Accepted attacker-controlled credentials. The commit added @RequirePOST annotations and checkPermission()
calls to these connection testing methods across multiple builder classes, indicating these were the vulnerable endpoints. The credential listing functions (doFillCredentialsIdItems
) were also vulnerable but slightly less critical as they only exposed credential IDs rather than full credential material.