Miggo Logo

CVE-2019-16569: CSRF vulnerability in Jenkins Mantis Plugin

4.3

CVSS Score
3.1

Basic Information

EPSS Score
0.64315%
Published
5/24/2022
Updated
1/30/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:mantismaven<= 0.26

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from a missing CSRF protection mechanism in the connection test endpoint. Jenkins plugins typically implement form validation methods (like connection tests) using do* methods in Descriptor classes. The advisory explicitly states the lack of POST request requirement for this endpoint, which matches Jenkins' pattern of using POST-required wrappers for CSRF protection. The method name 'doTestConnection' follows standard Jenkins plugin naming conventions for connection test handlers.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *ross-sit* r*qu*st *or**ry vuln*r**ility in J*nkins M*ntis Plu*in *.** *n* **rli*r *llows *tt**k*rs to *onn**t to *n *tt**k*r-sp**i*i** w** s*rv*r usin* *tt**k*r-sp**i*i** *r***nti*ls.

Reasoning

T** vuln*r**ility st*ms *rom * missin* *SR* prot**tion m****nism in t** *onn**tion t*st *n*point. J*nkins plu*ins typi**lly impl*m*nt *orm v*li**tion m*t*o*s (lik* *onn**tion t*sts) usin* `*o*` m*t*o*s in **s*riptor *l*ss*s. T** **visory *xpli*itly s