4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-10465

GHSA ID

GHSA-89vj-rqv8-7737

EPSS Score

0.07093%

CWE

CWE-276

Published

5/24/2022

Updated

10/27/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-10465

CVE-2019-10465: Jenkins Deploy WebLogic Plugin missing permission check

JenkinsDeploy WebLogic Plugin does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to send an HTTP HEAD request to a user-specified URL, or confirm the existence of any file or directory on the Jenkins controller.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.

(GitHub Advisory)

4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-10465

GHSA ID

GHSA-89vj-rqv8-7737

EPSS Score

0.07093%

CWE

CWE-276

Published

5/24/2022

Updated

10/27/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:weblogic-deployer-plugin	maven	<= 4.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The advisory explicitly references a form validation() method with two flaws: 1) Missing permission checks allowing low-privileged users to trigger actions, and 2) Missing POST requirement enabling CSRF. In Jenkins plugins, form validation methods follow the doCheck[FieldName] naming pattern in DescriptorImpl classes. The URL validation() method would handle HEAD request execution, while file path validation would check local filesystem existence - both critical paths described in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins**ploy W**Lo*i* Plu*in *o*s not p*r*orm p*rmission ****ks on * m*t*o* impl*m*ntin* *orm v*li**tion. T*is *llows us*rs wit* Ov*r*ll/R*** ****ss to J*nkins to s*n* *n *TTP **** r*qu*st to * us*r-sp**i*i** URL, or *on*irm t** *xist*n** o* *ny *il

Reasoning

T** **visory *xpli*itly r***r*n**s * *orm `v*li**tion()` m*t*o* wit* two *l*ws: *) Missin* p*rmission ****ks *llowin* low-privil**** us*rs to tri***r **tions, *n* *) Missin* `POST` r*quir*m*nt *n**lin* *SR*. In `J*nkins` plu*ins, *orm `v*li**tion` m*

4.3

Basic Information

Concerned about an active attack path?

CVE-2019-10465: Jenkins Deploy WebLogic Plugin missing permission check

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI