Miggo Logo
Miggo Vulnerability Database
CVE-2019-10455

CVE-2019-10455: Missing permission check in Jenkins Rundeck Plugin

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-10455
GHSA ID
GHSA-p4f7-7c33-9675
EPSS Score
0.07093%
CWE
CWE-862
Published
5/24/2022
Updated
12/14/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:rundeckmaven< 3.6.63.6.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing authorization checks in form validation methods. The patch added Jenkins.ADMINISTER checks to doTestConnection and Item.CONFIGURE checks to doCheckJobIdentifier, along with @RequirePOST annotations to prevent CSRF. These methods directly handle external connections/credentials validation, aligning with the advisory's description of attackers exploiting missing checks to connect to arbitrary URLs.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* missin* p*rmission ****k in J*nkins Run***k Plu*in *llows *tt**k*rs wit* Ov*r*ll/R*** p*rmission to *onn**t to *n *tt**k*r-sp**i*i** URL usin* *tt**k*r-sp**i*i** *r***nti*ls.

Reasoning

T** vuln*r**ility st*ms *rom missin* *ut*oriz*tion ****ks in *orm v*li**tion m*t*o*s. T** p*t** ***** `J*nkins.**MINIST*R` ****ks to `*oT*st*onn**tion` *n* `It*m.*ON*I*UR*` ****ks to `*o****kJo*I**nti*i*r`, *lon* wit* @R*quir*POST *nnot*tions to pr*v