CVE-2019-10454
Description
Jenkins Rundeck Plugin is vulnerable to CSRF, allowing an attacker to connect to an arbitrary URL using attacker-specified credentials.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Rundeck Plugin is vulnerable to CSRF, allowing an attacker to connect to an arbitrary URL using attacker-specified credentials.
Vulnerability
CVE-2019-10454 describes a cross-site request forgery (CSRF) vulnerability in the Jenkins Rundeck Plugin [1]. The plugin's form validation method did not require POST requests, making it possible for an attacker to trick a victim with appropriate permissions into performing unintended actions [1].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious web page or link that, when visited by an authenticated Jenkins user, causes a forged request to the Rundeck Plugin [3]. The attack requires no special privileges beyond the victim being logged into Jenkins [1]. The attacker can specify both the target URL and the credentials to be used for the connection [1].
Impact
Successful exploitation allows the attacker to make the Jenkins server connect to an attacker-specified URL using attacker-specified credentials [1]. This could lead to credential leakage, data exfiltration, or further compromise of systems accessible from the Jenkins controller.
Mitigation
The vulnerability has been fixed in a commit that adds @RequirePOST and permission checks to the affected methods [2]. Jenkins users should update the Rundeck Plugin to a version containing this fix [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:rundeckMaven | < 3.6.6 | 3.6.6 |
Affected products
2- Range: 3.6.5 and earlier
Patches
168177fc53f40Merge branch 'SECURITY-1460'
2 files changed · +24 −4
src/main/java/org/jenkinsci/plugins/rundeck/RundeckNotifier.java+21 −1 modified@@ -24,9 +24,11 @@ import org.jenkinsci.plugins.rundeck.cache.InMemoryRundeckJobCache; import org.jenkinsci.plugins.rundeck.cache.RundeckJobCache; import org.jenkinsci.plugins.rundeck.cache.RundeckJobCacheConfig; +import org.kohsuke.stapler.AncestorInPath; import org.kohsuke.stapler.DataBoundConstructor; import org.kohsuke.stapler.QueryParameter; import org.kohsuke.stapler.StaplerRequest; +import org.kohsuke.stapler.interceptor.RequirePOST; import org.rundeck.api.RunJobBuilder; import org.rundeck.api.RundeckApiException; import org.rundeck.api.RundeckApiException.RundeckApiLoginException; @@ -708,23 +710,33 @@ public Publisher newInstance(StaplerRequest req, JSONObject formData) throws For } @SuppressWarnings("unused") + @RequirePOST public FormValidation doDisplayCacheStatistics() { + Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER); + return FormValidation.ok(rundeckJobCache.logAndGetStats()); } @SuppressWarnings("unused") + @RequirePOST public FormValidation doInvalidateCache() { + Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER); + rundeckJobCache.invalidate(); return FormValidation.ok("Done"); } @SuppressWarnings("unused") + @RequirePOST public FormValidation doTestConnection(@QueryParameter("rundeck.url") final String url, @QueryParameter("rundeck.login") final String login, @QueryParameter("rundeck.password") final Secret password, @QueryParameter("rundeck.authtoken") final Secret token, @QueryParameter(value = "rundeck.apiversion", fixEmpty = true) final Integer apiversion) { + + Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER); + RundeckClient rundeck = null; RundeckClientBuilder builder = RundeckClient.builder().url(url); @@ -766,12 +778,20 @@ public FormValidation doTestConnection(@QueryParameter("rundeck.url") final Stri * @param token * @return */ + @RequirePOST public FormValidation doCheckJobIdentifier(@QueryParameter("jobIdentifier") final String jobIdentifier, @QueryParameter("rundeckInstance") final String rundeckInstance, @QueryParameter("jobUser") final String user, @QueryParameter("jobPassword") final Secret password, - @QueryParameter("jobToken") final Secret token) { + @QueryParameter("jobToken") final Secret token, + @AncestorInPath Item item) { + + if (item == null) { // no context + return FormValidation.ok(); + } + + item.checkPermission(Item.CONFIGURE); if (password==null && !StringUtils.isBlank(user)) { return FormValidation.error("The password is mandatory if user is not empty !");
src/main/resources/org/jenkinsci/plugins/rundeck/RundeckNotifier/config.jelly+3 −3 modified@@ -28,9 +28,9 @@ <f:entry title="Token (optional)" field="jobToken"> <f:password /> </f:entry> - - <f:entry title="Job Identifier" field="jobIdentifier"> - <f:textbox /> + + <f:entry title="Job Identifier" field="jobIdentifier" > + <f:textbox checkMethod="post"/> </f:entry> <f:entry title="Job options (optional)" field="options"> <f:textarea />
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-4c2w-wcw4-8jv9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10454ghsaADVISORY
- github.com/jenkinsci/rundeck-plugin/commit/68177fc53f40d038233c9d54f3d59fdee9d6ced0ghsaWEB
- jenkins.io/security/advisory/2019-10-16/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.