CVE-2019-10464

Vulnerability

Overview

CVE-2019-10464 is a cross-site request forgery (CSRF) vulnerability in the Jenkins Deploy WebLogic Plugin. The plugin fails to require a CSRF token or perform origin validation, allowing an attacker to trick an authenticated Jenkins user into executing unintended actions. Specifically, the attacker can force the plugin to connect to an attacker-specified URL using attacker-supplied credentials, or to check whether a file or directory with an attacker-specified path exists on the Jenkins master file system [1][3].

Exploitation

Prerequisites

To exploit this vulnerability, an attacker must convince a Jenkins user who has permissions to use the Deploy WebLogic Plugin to click a crafted link or visit a malicious page. No additional authentication is required for the attacker; the victim's active session is reused. The attack can be launched remotely via social engineering or by embedding the malicious request in a web page [2].

Impact

Successful exploitation yields two potential outcomes. First, the attacker can make the Jenkins master connect to an arbitrary URL using arbitrary credentials, which could be used to exfiltrate data, perform reconnaissance, or pivot to internal systems. Second, the attacker can probe the existence of files or directories on the Jenkins master file system, leading to information disclosure about the environment and configuration [1][3].

Mitigation

Status

At the time of disclosure (October 2019), the Jenkins Security Advisory listed this vulnerability as unresolved, meaning no patched version of the Deploy WebLogic Plugin was available [1][2]. Users were advised to disable the plugin or restrict access to Jenkins until a fix could be released. The vulnerability has not been added to the CISA Known Exploited Vulnerabilities catalog.