CVE-2019-16559
Jenkins WebSphere Deployer Plugin missing permission check
Description
Jenkins WebSphere Deployer Plugin 1.6.1 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to perform connection tests, determine whether files with an attacker-specified path exist on the Jenkins controller file system, and obtain limited information about the Jenkins and plugin configuration based on the responses. The latter include the ability to set plugin configuration options. Additionally, these form validation methods do not require POST requests, resulting in a CSRF vulnerability. As of publication of this advisory, there is no fix.
How to fix CVE-2019-16559
No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.
- —no fix listed
Is CVE-2019-16559 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, <= 1.6.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |