CVE-2019-10338

Name of the Vulnerable Software and Affected Versions Jenkins JX Resources Plugin versions 1.0.36 and earlier

Description A cross-site request forgery issue allows attackers to have Jenkins connect to an attacker-specified Kubernetes server, potentially leaking credentials. The vulnerability is due to a lack of permission checks on a method implementing form validation, which can be exploited by users with Overall/Read access to Jenkins. This allows attackers to obtain information about an attacker-specified namespace and potentially leak service account credentials. Additionally, attackers can obtain the value of any attacker-specified environment variable for the Jenkins controller process. The form validation method is vulnerable to cross-site request forgery because it does not require POST requests.

Recommendations For Jenkins JX Resources Plugin versions 1.0.36 and earlier, update the plugin to a version that requires POST requests and Overall/Administer permissions for the form validation method. As a temporary workaround, consider restricting access to the GlobalPluginConfiguration#doValidateClient method to users with Overall/Administer permissions until a patch is available. Restrict access to the Jenkins controller process environment variables to minimize the risk of exploitation.