CVE-2019-10339

Name of the Vulnerable Software and Affected Versions Jenkins JX Resources Plugin versions 1.0.36 and earlier

Description A missing permission check in the GlobalPluginConfiguration#doValidateClient method allowed users with Overall/Read access to connect to an attacker-specified Kubernetes server, potentially leaking credentials. This issue also allowed attackers to obtain information about an attacker-specified namespace and the value of any attacker-specified environment variable for the Jenkins controller process. Furthermore, it resulted in a cross-site request forgery vulnerability due to not requiring POST requests.

Recommendations For Jenkins JX Resources Plugin versions 1.0.36 and earlier, update the plugin to a version that requires POST requests and Overall/Administer permissions for the form validation method, or apply a configuration change to restrict access to the GlobalPluginConfiguration#doValidateClient method to users with Overall/Administer permissions. As a temporary workaround, consider restricting the GlobalPluginConfiguration#doValidateClient method to require Overall/Administer permissions until a patch is available.