CVE-2019-16569: CSRF vulnerability in Jenkins Mantis Plugin
4.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.64315%
CWE
Published
5/24/2022
Updated
1/30/2024
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.jenkins-ci.plugins:mantis | maven | <= 0.26 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from a missing CSRF protection mechanism in the connection test endpoint. Jenkins plugins typically implement form validation methods (like connection tests) using do*
methods in Descriptor classes. The advisory explicitly states the lack of POST request requirement for this endpoint, which matches Jenkins' pattern of using POST-required wrappers for CSRF protection. The method name 'doTestConnection'
follows standard Jenkins plugin naming conventions for connection test handlers.