CVE-2019-10455
Description
Missing permission check in Jenkins Rundeck Plugin allows attackers with Overall/Read to connect to attacker-specified URLs using attacker-specified credentials.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing permission check in Jenkins Rundeck Plugin allows attackers with Overall/Read to connect to attacker-specified URLs using attacker-specified credentials.
Vulnerability
The Jenkins Rundeck Plugin (versions prior to 2.4.5) lacked a permission check in the doTestConnection method, which is used to validate connectivity to a Rundeck server. This allowed any user with Overall/Read permission to trigger a connection to an arbitrary URL using attacker-specified credentials. [1][3]
Exploitation
An attacker can send a POST request to the affected endpoint, providing a URL and credentials of their choice. The plugin would then attempt to connect to that URL using those credentials, potentially leaking Jenkins-stored credentials or establishing a connection to a malicious server. The missing RequirePOST annotation also means that an attacker could exploit this via a cross-site request forgery (CSRF) attack, although the primary issue is the missing permission check. [1][3]
Impact
Successful exploitation allows an attacker to use Jenkins to make authenticated requests to arbitrary URLs, potentially capturing credentials stored in Jenkins or using the Jenkins server as a proxy for further attacks. This could lead to credential theft or unauthorized access to external systems. [1]
Mitigation
The issue is fixed in Rundeck Plugin version 2.4.5, which adds @RequirePOST and a checkPermission(Jenkins.ADMINISTER) call to the affected methods. Users should update to this version or later. The Jenkins Security Advisory 2019-10-16 provides further details. [1][3]
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:rundeckMaven | < 3.6.6 | 3.6.6 |
Affected products
2- Range: 3.6.5 and earlier
Patches
268177fc53f40Merge branch 'SECURITY-1460'
2 files changed · +24 −4
src/main/java/org/jenkinsci/plugins/rundeck/RundeckNotifier.java+21 −1 modified@@ -24,9 +24,11 @@ import org.jenkinsci.plugins.rundeck.cache.InMemoryRundeckJobCache; import org.jenkinsci.plugins.rundeck.cache.RundeckJobCache; import org.jenkinsci.plugins.rundeck.cache.RundeckJobCacheConfig; +import org.kohsuke.stapler.AncestorInPath; import org.kohsuke.stapler.DataBoundConstructor; import org.kohsuke.stapler.QueryParameter; import org.kohsuke.stapler.StaplerRequest; +import org.kohsuke.stapler.interceptor.RequirePOST; import org.rundeck.api.RunJobBuilder; import org.rundeck.api.RundeckApiException; import org.rundeck.api.RundeckApiException.RundeckApiLoginException; @@ -708,23 +710,33 @@ public Publisher newInstance(StaplerRequest req, JSONObject formData) throws For } @SuppressWarnings("unused") + @RequirePOST public FormValidation doDisplayCacheStatistics() { + Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER); + return FormValidation.ok(rundeckJobCache.logAndGetStats()); } @SuppressWarnings("unused") + @RequirePOST public FormValidation doInvalidateCache() { + Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER); + rundeckJobCache.invalidate(); return FormValidation.ok("Done"); } @SuppressWarnings("unused") + @RequirePOST public FormValidation doTestConnection(@QueryParameter("rundeck.url") final String url, @QueryParameter("rundeck.login") final String login, @QueryParameter("rundeck.password") final Secret password, @QueryParameter("rundeck.authtoken") final Secret token, @QueryParameter(value = "rundeck.apiversion", fixEmpty = true) final Integer apiversion) { + + Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER); + RundeckClient rundeck = null; RundeckClientBuilder builder = RundeckClient.builder().url(url); @@ -766,12 +778,20 @@ public FormValidation doTestConnection(@QueryParameter("rundeck.url") final Stri * @param token * @return */ + @RequirePOST public FormValidation doCheckJobIdentifier(@QueryParameter("jobIdentifier") final String jobIdentifier, @QueryParameter("rundeckInstance") final String rundeckInstance, @QueryParameter("jobUser") final String user, @QueryParameter("jobPassword") final Secret password, - @QueryParameter("jobToken") final Secret token) { + @QueryParameter("jobToken") final Secret token, + @AncestorInPath Item item) { + + if (item == null) { // no context + return FormValidation.ok(); + } + + item.checkPermission(Item.CONFIGURE); if (password==null && !StringUtils.isBlank(user)) { return FormValidation.error("The password is mandatory if user is not empty !");
src/main/resources/org/jenkinsci/plugins/rundeck/RundeckNotifier/config.jelly+3 −3 modified@@ -28,9 +28,9 @@ <f:entry title="Token (optional)" field="jobToken"> <f:password /> </f:entry> - - <f:entry title="Job Identifier" field="jobIdentifier"> - <f:textbox /> + + <f:entry title="Job Identifier" field="jobIdentifier" > + <f:textbox checkMethod="post"/> </f:entry> <f:entry title="Job options (optional)" field="options"> <f:textarea />
f0d115f14a9dMerge branch 'SECURITY-1460' of https://github.com/jenkinsci-cert/rundeck-plugin into SECURITY-1460
1 file changed · +5 −4
src/main/java/org/jenkinsci/plugins/rundeck/RundeckNotifier.java+5 −4 modified@@ -52,7 +52,7 @@ /** * Jenkins {@link Notifier} that runs a job on Rundeck (via the {@link RundeckClient}) - * + * * @author Vincent Behar */ public class RundeckNotifier extends Notifier implements SimpleBuildStep { @@ -181,7 +181,7 @@ private ChangeLogSet<? extends Entry> getChangeSet(@Nonnull Run<?, ?> run) { /** * Check if we need to notify Rundeck for this build. If we have a tag, we will look for it in the changelog of the * build and in the changelog of all upstream builds. - * + * * @param build for checking the changelog * @param listener for logging the result * @return true if we should notify Rundeck, false otherwise @@ -784,12 +784,13 @@ public FormValidation doCheckJobIdentifier(@QueryParameter("jobIdentifier") fina @QueryParameter("jobUser") final String user, @QueryParameter("jobPassword") final Secret password, @QueryParameter("jobToken") final Secret token, - @AncestorInPath Item item) { + @AncestorInPath Item item) { + if (item == null) { // no context return FormValidation.ok(); } - + item.checkPermission(Item.CONFIGURE); if (password==null && !StringUtils.isBlank(user)) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-p4f7-7c33-9675ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10455ghsaADVISORY
- github.com/jenkinsci/rundeck-plugin/commit/68177fc53f40d038233c9d54f3d59fdee9d6ced0ghsaWEB
- github.com/jenkinsci/rundeck-plugin/commit/f0d115f14a9d2b0bfe4a33f1dc68aa637430b8edghsaWEB
- jenkins.io/security/advisory/2019-10-16/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.