CVE-2019-16559
Description
A missing permission check in Jenkins WebSphere Deployer Plugin 1.6.1 and earlier allows attackers with Overall/Read permission to perform connection tests and determine whether files with an attacker-specified path exist on the Jenkins master file system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing permission check in Jenkins WebSphere Deployer Plugin allows attackers with Overall/Read to test connections and probe file existence on the master.
Vulnerability
Overview
The Jenkins WebSphere Deployer Plugin versions 1.6.1 and earlier contain a missing permission check vulnerability [1][2][3]. This flaw allows a user with only Overall/Read permission, typically a low-privilege role, to improperly access a form validation method that performs connection tests [3].
Exploitation
An attacker with Overall/Read permission can send crafted requests to trigger connection tests using attacker-specified paths [1][3]. The plugin does not verify that the user has the required permissions (such as Overall/Administer) before executing these tests [1]. This enables the attacker to determine whether an arbitrary file exists on the Jenkins master file system by observing the test results [1][3].
Impact
The primary impact is information disclosure: an attacker can probe for the existence of specific files on the Jenkins controller [3]. This could be used to map the filesystem, reveal configuration files, or check for the presence of sensitive data, aiding further attacks.
Mitigation
Status
As of the 2019-12-17 Jenkins Security Advisory, the WebSphere Deployer Plugin had no fix available and was listed among “unresolved security issues” [1][2]. No updated version was released at that time [2]. Users should monitor for plugin updates or consider disabling the plugin if not required.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:websphere-deployerMaven | <= 1.6.1 | — |
Affected products
3- Range: <=1.6.1
- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-mxf8-grm7-mvqwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-16559ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/12/17/1ghsamailing-listx_refsource_MLISTWEB
- jenkins.io/security/advisory/2019-12-17/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.