8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-10464

GHSA ID

GHSA-6x2w-gwgf-5rg3

EPSS Score

0.30259%

CWE

CWE-352

Published

5/24/2022

Updated

10/27/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-10464

CVE-2019-10464: Jenkins Deploy WebLogic Plugin cross-site request forgery vulnerability

JenkinsDeploy WebLogic Plugin does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to send an HTTP HEAD request to a user-specified URL, or confirm the existence of any file or directory on the Jenkins controller.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-10464

GHSA ID

GHSA-6x2w-gwgf-5rg3

EPSS Score

0.30259%

CWE

CWE-352

Published

5/24/2022

Updated

10/27/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:weblogic-deployer-plugin	maven	<= 4.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from form validation methods that 1) don't perform permission checks (allowing Overall/Read users to execute them) and 2) accept non-POST requests (enabling CSRF). In Jenkins plugins, form validation is typically implemented through doCheck* methods in Descriptor classes. The combination of missing permission validation (SECURITY-820) and missing POST requirement (CWE-352) indicates these methods are the vulnerable entry points. The file path is inferred from standard Jenkins plugin structure and WebLogic Deployer naming conventions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins**ploy W**Lo*i* Plu*in *o*s not p*r*orm p*rmission ****ks on * m*t*o* impl*m*ntin* *orm v*li**tion. T*is *llows us*rs wit* Ov*r*ll/R*** ****ss to J*nkins to s*n* *n *TTP **** r*qu*st to * us*r-sp**i*i** URL, or *on*irm t** *xist*n** o* *ny *il

Reasoning

T** vuln*r**ility st*ms *rom *orm v*li**tion m*t*o*s t**t *) *on't p*r*orm p*rmission ****ks (*llowin* Ov*r*ll/R*** us*rs to *x**ut* t**m) *n* *) ****pt non-POST r*qu*sts (*n**lin* *SR*). In J*nkins plu*ins, *orm v*li**tion is typi**lly impl*m*nt** t

8.8

Basic Information

Concerned about an active attack path?

CVE-2019-10464: Jenkins Deploy WebLogic Plugin cross-site request forgery vulnerability

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI