CVE-2019-16560 - Vulnerability Details - OpenCVE

A cross-site request forgery vulnerability in Jenkins WebSphere Deployer Plugin 1.6.1 and earlier allows attackers to perform connection tests and determine whether files with an attacker-specified path exist on the Jenkins master file system.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Jenkins	Websphere Deployer

Configuration 1 [-]

cpe:2.3:a:jenkins:websphere_deployer:*:*:*:*:*:jenkins:*:*

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2019/12/17/1
https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1371

History

No history.

MITRE

Status: PUBLISHED

Assigner: jenkins

Published: 2019-12-17T14:40:50

Updated: 2024-08-05T01:17:41.041Z

Reserved: 2019-09-20T00:00:00

Link: CVE-2019-16560

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-12-17T15:15:18.550

Modified: 2024-11-21T04:30:49.577

Link: CVE-2019-16560

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Jenkins WebSphere Deployer Plugin", "vendor": "Jenkins project", "versions": [{"lessThanOrEqual": "1.6.1", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "unknown", "version": "next of 1.6.1", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "A cross-site request forgery vulnerability in Jenkins WebSphere Deployer Plugin 1.6.1 and earlier allows attackers to perform connection tests and determine whether files with an attacker-specified path exist on the Jenkins master file system."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2023-10-24T16:50:51.502Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1371"}, {"name": "[oss-security] 20191217 Multiple vulnerabilities in Jenkins plugins", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2019/12/17/1"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "jenkinsci-cert@googlegroups.com", "ID": "CVE-2019-16560", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Jenkins WebSphere Deployer Plugin", "version": {"version_data": [{"version_affected": "<=", "version_value": "1.6.1"}, {"version_affected": "?>", "version_value": "1.6.1"}]}}]}, "vendor_name": "Jenkins project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A cross-site request forgery vulnerability in Jenkins WebSphere Deployer Plugin 1.6.1 and earlier allows attackers to perform connection tests and determine whether files with an attacker-specified path exist on the Jenkins master file system."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-352: Cross-Site Request Forgery (CSRF)"}]}]}, "references": {"reference_data": [{"name": "https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1371", "refsource": "CONFIRM", "url": "https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1371"}, {"name": "[oss-security] 20191217 Multiple vulnerabilities in Jenkins plugins", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2019/12/17/1"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T01:17:41.041Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1371"}, {"name": "[oss-security] 20191217 Multiple vulnerabilities in Jenkins plugins", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2019/12/17/1"}]}]}, "cveMetadata": {"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2019-16560", "datePublished": "2019-12-17T14:40:50", "dateReserved": "2019-09-20T00:00:00", "dateUpdated": "2024-08-05T01:17:41.041Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:websphere_deployer:*:*:*:*:*:jenkins:*:*", "matchCriteriaId": "35D51780-9E1C-4764-BA20-99F807B998BF", "versionEndIncluding": "1.6.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A cross-site request forgery vulnerability in Jenkins WebSphere Deployer Plugin 1.6.1 and earlier allows attackers to perform connection tests and determine whether files with an attacker-specified path exist on the Jenkins master file system."}, {"lang": "es", "value": "Una vulnerabilidad de tipo cross-site request forgery en Jenkins WebSphere Deployer Plugin 1.6.1 y versiones anteriores permite a los atacantes realizar pruebas de conexi\u00f3n y determinar si existen archivos con una ruta de acceso especificada por el atacante en el sistema de archivos maestro de Jenkins."}], "id": "CVE-2019-16560", "lastModified": "2024-11-21T04:30:49.577", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-12-17T15:15:18.550", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2019/12/17/1"}, {"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1371"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2019/12/17/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1371"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}