CVE-2019-16570

Vulnerability

Overview

A cross-site request forgery (CSRF) vulnerability exists in the Jenkins RapidDeploy Plugin, versions 4.1 and earlier. The plugin fails to require a POST request for certain form validation endpoints, making it susceptible to CSRF attacks. This allows an attacker to trick an authenticated Jenkins user into unknowingly making a request that connects to an attacker-specified web server [1][2].

Exploitation

To exploit this vulnerability, an attacker must persuade a Jenkins user with at least Overall/Read access to click a crafted link or visit a malicious page while authenticated to Jenkins. The attack does not require any special privileges on the Jenkins instance beyond those of the victim user. Since the vulnerable endpoint does not enforce a POST request, the attacker can exploit a GET-based CSRF [1].

Impact

Successful exploitation results in the Jenkins server connecting to an attacker-controlled web server. While the advisory describes this as connecting to an attacker-specified web server, the exact impact is limited to network reconnaissance or triggering outbound connections. No data leakage or further exploitation on the Jenkins controller is described [1][2].

Mitigation

As of the advisory date (2019-12-17), no fix was released for the RapidDeploy Plugin. The plugin remains listed among those with unresolved security issues. Users are advised to restrict network access from Jenkins to untrusted destinations and monitor for unexpected outbound connections. No workaround within the plugin itself is documented [1][2][3].