CVE-2019-16561

Vulnerability

Description

The Jenkins WebSphere Deployer Plugin, in versions 1.6.1 and earlier, contains a security flaw that allows users who have only Overall/Read permission to disable SSL/TLS certificate and hostname validation for the entire Jenkins master JVM [1][3]. This behavior is unintended because Global/Read permission should not grant such a far-reaching security change that affects the whole Jenkins instance.

Exploitation

Conditions

An attacker needs to have Overall/Read access to the Jenkins instance. This is a relatively low-privilege permission that is often granted to many users, such as developers or auditors. No other special authentication or network position is required beyond being able to interact with the Jenkins web interface or API [1]. The plugin does not restrict this configuration toggle to administrators.

Impact

By disabling certificate and hostname validation, the Jenkins master JVM will accept any SSL/TLS certificate from any server it connects to. This makes the system vulnerable to man-in-the-middle (MitM) attacks. An attacker positioned between Jenkins and a remote server could present a forged certificate and intercept or modify traffic, potentially leaking sensitive data or allowing further compromise [1][3].

Mitigation

Status

The vulnerability affects WebSphere Deployer Plugin versions 1.6.1 and earlier. As of the advisory release on 2019-12-17, no fix had been published for this plugin [1][2]. Users are advised to restrict Overall/Read access to trusted users and, if possible, remove or disable the plugin. The plugin is listed in the advisory as having unresolved security issues [1][2].