CVE-2019-16571

CVE-2019-16571 is a missing permission check vulnerability in the Jenkins RapidDeploy Plugin version 4.1 and earlier. The plugin fails to verify that a user has the necessary permissions before allowing them to connect to a web server, effectively allowing any user with Overall/Read access to trigger an outbound connection to an attacker-specified server [1].

Exploitation requires only the Overall/Read permission, which is a low-privilege access level in Jenkins. An attacker can specify an arbitrary web server URL, and the Jenkins controller will attempt to connect to it. This can be done without any additional authentication or interaction from other users [1][3].

The impact is that an attacker can cause the Jenkins controller to connect to an external server under their control. This could be used for reconnaissance, to exfiltrate data, or as part of a server-side request forgery (SSRF) attack. The exact consequences depend on the network environment and the capabilities of the attacker-controlled server [1].

As of the Jenkins Security Advisory 2019-12-17, the RapidDeploy Plugin is listed among plugins with unresolved security issues, meaning no official patch was available at that time [2]. Users are advised to restrict the Overall/Read permission to trusted users or consider disabling the plugin if possible.