CVE-2019-10465: Jenkins Deploy WebLogic Plugin missing permission check
4.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.07093%
CWE
Published
5/24/2022
Updated
10/27/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.jenkins-ci.plugins:weblogic-deployer-plugin | maven | <= 4.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The advisory explicitly references a form validation()
method with two flaws: 1) Missing permission checks allowing low-privileged users to trigger actions, and 2) Missing POST
requirement enabling CSRF. In Jenkins
plugins, form validation
methods follow the doCheck[FieldName]
naming pattern in DescriptorImpl
classes. The URL validation()
method would handle HEAD
request execution, while file path validation
would check local filesystem
existence - both critical paths described in the vulnerability.