CVE-2019-16559

Name of the Vulnerable Software and Affected Versions Jenkins WebSphere Deployer Plugin versions 1.6.1 and earlier

Description A missing permission check in the plugin allows attackers with Overall/Read permission to perform connection tests and determine whether files with an attacker-specified path exist on the Jenkins master file system. The plugin also does not perform permission checks in methods performing form validation, allowing users with Overall/Read access to obtain limited information about the Jenkins and plugin configuration. Furthermore, the form validation methods are vulnerable to CSRF attacks as they do not require POST requests.

Recommendations For Jenkins WebSphere Deployer Plugin versions 1.6.1 and earlier, as a temporary workaround, consider restricting access to the plugin's form validation methods to minimize the risk of exploitation. Additionally, restrict the ability to perform connection tests and set plugin configuration options to authorized users only. At the moment, there is no information about a newer version that contains a fix for this vulnerability.