Miggo Logo
Miggo Vulnerability Database
CVE-2019-16576

CVE-2019-16576: Improper Authorization in Jenkins Alauda Kubernetes Suport Plugin

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-16576
GHSA ID
GHSA-7h24-4x4c-69mf
EPSS Score
0.14246%
CWE
CWE-862
Published
5/24/2022
Updated
10/26/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
io.alauda.jenkins.plugins:alauda-kubernetes-supportmaven<= 2.3.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from a missing permission check in a connection test method. Jenkins plugins typically implement connection tests via doTest* methods in Descriptor classes. The advisory specifically mentions CSRF (lack of POST requirement) and missing authorization checks - both characteristics of unsecured form validation handlers. The pattern matches Jenkins' convention where DescriptorImpl classes handle global configuration and form validation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* missin* p*rmission ****k in J*nkins *l*u** Ku**rn*t*s Suport Plu*in *.*.* *n* **rli*r *llows *tt**k*rs wit* Ov*r*ll/R*** p*rmission to *onn**t to *n *tt**k*r-sp**i*i** URL usin* *tt**k*r-sp**i*i** *r***nti*ls I*s o*t*in** t*rou** *not**r m*t*o*, **

Reasoning

T** vuln*r**ility st*ms *rom * missin* p*rmission ****k in * *onn**tion t*st m*t*o*. J*nkins plu*ins typi**lly impl*m*nt *onn**tion t*sts vi* *oT*st* m*t*o*s in **s*riptor *l*ss*s. T** **visory sp**i*i**lly m*ntions *SR* (l**k o* POST r*quir*m*nt) *n