CVE-2019-10456

Vulnerability

Overview

CVE-2019-10456 is a cross-site request forgery (CSRF) vulnerability in the Jenkins Oracle Cloud Infrastructure Compute Classic Plugin. The plugin fails to require a POST request or validate the origin of requests when performing certain actions, allowing an attacker to trick a Jenkins user with sufficient permissions into executing unintended operations [1][2].

Exploitation

An attacker can craft a malicious web page or link that, when visited by an authenticated Jenkins user, triggers a forged request to the Jenkins server. This request uses the victim's session to connect to an attacker-specified URL using attacker-specified credentials. No additional authentication is required beyond the victim's existing session [1].

Impact

Successful exploitation enables the attacker to make the Jenkins server connect to arbitrary external URLs with credentials of the attacker's choosing. This could be used to exfiltrate data, perform actions on external systems, or potentially capture credentials stored in Jenkins if the attacker can observe the connection [1][2].

Mitigation

The vulnerability was addressed in the Jenkins Security Advisory 2019-10-16. Users should update the Oracle Cloud Infrastructure Compute Classic Plugin to a patched version. No workarounds are mentioned; updating is the recommended action [1].