PT-2019-14731 · Jenkins · Jenkins Alauda Kubernetes Support Plugin+1

Viktor Gazdag

Published

2019-12-17

Updated

2023-10-25

CVE-2019-16576

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Jenkins Alauda Kubernetes Support Plugin versions 2.3.0 and earlier

Description A missing permission check in the plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs, potentially capturing the Kubernetes service account token or credentials stored in Jenkins.

Recommendations For Jenkins Alauda Kubernetes Support Plugin versions 2.3.0 and earlier, update to a version that includes the fix for the missing permission check to prevent attackers from exploiting this issue.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2019-16576

GHSA-7H24-4X4C-69MF

Affected Products

Jenkins

Jenkins Alauda Kubernetes Support Plugin

PT-2019-14731 · Jenkins · Jenkins Alauda Kubernetes Support Plugin+1

CVE-2019-16576

Weakness Enumeration

Related Identifiers

Affected Products

References · 5