CVE-2019-16560
Description
A cross-site request forgery vulnerability in Jenkins WebSphere Deployer Plugin 1.6.1 and earlier allows attackers to perform connection tests and determine whether files with an attacker-specified path exist on the Jenkins master file system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins WebSphere Deployer Plugin 1.6.1 and earlier is vulnerable to CSRF, enabling unauthorized connection tests and file existence checks on the Jenkins master.
Vulnerability
Description
CVE-2019-16560 is a cross-site request forgery (CSRF) vulnerability in the Jenkins WebSphere Deployer Plugin, affecting versions 1.6.1 and earlier. The plugin fails to require a POST request for connection test form validation, allowing an attacker to craft a malicious link or page that, when visited by an authenticated Jenkins user with the necessary permissions, performs unintended actions without the user's consent [1][2][3].
Exploitation
An attacker can exploit this CSRF flaw by tricking an authenticated Jenkins user into clicking a specially crafted link or loading a malicious web page. The attacker does not need direct access to the Jenkins instance but must rely on social engineering or other methods to have the victim perform the action. The attack leverages the victim's session to send forged requests to the Jenkins server [1].
Impact
Successful exploitation allows an attacker to perform connection tests and determine whether files with an attacker-specified path exist on the Jenkins master file system. This information disclosure can aid in reconnaissance, helping an attacker map the file system structure or identify the presence of specific files, potentially escalating further attacks [1][3].
Mitigation
As of the Jenkins security advisory dated December 17, 2019, no fix was available for this plugin. The advisory notes the vulnerability as unresolved, meaning users may need to disable the plugin or apply workarounds until a patched version is released [1][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:websphere-deployerMaven | <= 1.6.1 | — |
Affected products
3- Range: <=1.6.1
- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-c3wf-rrhq-rfp2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-16560ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/12/17/1ghsamailing-listx_refsource_MLISTWEB
- jenkins.io/security/advisory/2019-12-17/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.