PT-2019-11761 · Jenkins · Jenkins Google Kubernetes Engine Plugin
Jesse Glick
·
Published
2019-07-31
·
Updated
2023-10-25
·
CVE-2019-10365
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins Google Kubernetes Engine Plugin versions 0.6.2 and earlier
Description
The issue concerns the creation of a temporary file containing a temporary access token in the project workspace, which could be accessed by users with Job/Read permission. This temporary file was initially created in the project workspace but is now created outside the regular project workspace.
Recommendations
For Jenkins Google Kubernetes Engine Plugin versions 0.6.2 and earlier, consider updating to a version where the temporary file is created outside the regular project workspace to minimize access to the temporary access token.
As a temporary workaround, consider restricting access to the project workspace for users with Job/Read permission until a more secure version is available.
Fix
Exposure of Resource to Wrong Sphere
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins Google Kubernetes Engine Plugin