Miggo Logo

CVE-2019-10465: Jenkins Deploy WebLogic Plugin missing permission check

4.3

CVSS Score
3.1

Basic Information

EPSS Score
0.07093%
Published
5/24/2022
Updated
10/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:weblogic-deployer-pluginmaven<= 4.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The advisory explicitly references a form validation() method with two flaws: 1) Missing permission checks allowing low-privileged users to trigger actions, and 2) Missing POST requirement enabling CSRF. In Jenkins plugins, form validation methods follow the doCheck[FieldName] naming pattern in DescriptorImpl classes. The URL validation() method would handle HEAD request execution, while file path validation would check local filesystem existence - both critical paths described in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins**ploy W**Lo*i* Plu*in *o*s not p*r*orm p*rmission ****ks on * m*t*o* impl*m*ntin* *orm v*li**tion. T*is *llows us*rs wit* Ov*r*ll/R*** ****ss to J*nkins to s*n* *n *TTP **** r*qu*st to * us*r-sp**i*i** URL, or *on*irm t** *xist*n** o* *ny *il

Reasoning

T** **visory *xpli*itly r***r*n**s * *orm `v*li**tion()` m*t*o* wit* two *l*ws: *) Missin* p*rmission ****ks *llowin* low-privil**** us*rs to tri***r **tions, *n* *) Missin* `POST` r*quir*m*nt *n**lin* *SR*. In `J*nkins` plu*ins, *orm `v*li**tion` m*