CVE-2019-16559

CWE-276 — Incorrect Default Permissions5 documents5 sources

Severity

5.4MEDIUM

EPSS

0.0%

top 91.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Websphere Deployer Plugin Jenkins Websphere Deployer

Timeline

PublishedDec 17

Latest updateMay 24

Description

A missing permission check in Jenkins WebSphere Deployer Plugin 1.6.1 and earlier allows attackers with Overall/Read permission to perform connection tests and determine whether files with an attacker-specified path exist on the Jenkins master file system.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages3 packages

▶Mavenorg.jenkins-ci.plugins:websphere-deployer1.6.1

▶CVEListV5jenkins_project/jenkins_websphere_deployer_pluginunspecified — 1.6.1

▶NVDjenkins/websphere_deployer1.6.1

🔴Vulnerability Details

GHSA

Jenkins WebSphere Deployer Plugin missing permission check↗2022-05-24

▶

OSV

Jenkins WebSphere Deployer Plugin missing permission check↗2022-05-24

▶

CVEList

CVE-2019-16559: A missing permission check in Jenkins WebSphere Deployer Plugin 1↗2019-12-17

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2019-12-17↗2019-12-17

▶