CVE-2019-10465

The Jenkins Deploy WebLogic Plugin is affected by a missing permission check vulnerability. The plugin does not verify that a user has the required permissions before allowing actions such as connecting to an attacker-specified URL with attacker-specified credentials, or determining whether a file or directory exists at an attacker-specified path on the Jenkins master file system [1][3].

Exploitation requires only Overall/Read permission, which is a low-privilege level available to many users. An attacker can leverage this to make the Jenkins controller connect to arbitrary external servers using controlled credentials, or to probe the existence of files and directories on the master's file system [1][3].

The impact includes potential data exfiltration via SSRF-like connections and information disclosure through file existence checks. This can provide an attacker with valuable information about the Jenkins environment and potentially facilitate further attacks [1][3].

As of the publication date, the plugin remains unpatched and is listed as an unresolved security issue in the Jenkins security advisory. Users are advised to restrict Overall/Read permissions or remove the plugin until a fix is available [1][2].