Cross-Site Request Forgery in Jenkins Docker Plugin by CloudBees
CVE-2019-10340

8.8HIGH

Key Information:

Vendor
Jenkins
Status
Jenkins Docker Plugin
Vendor
CVE Published:
11 July 2019

Summary

A cross-site request forgery (CSRF) vulnerability exists in the Jenkins Docker Plugin version 1.1.6 and prior, which allows users with Overall/Read access to initiate connections to an unauthorized URL. This attackers can exploit this by using compromised credential IDs, which might be obtained through other means, thereby potentially exposing sensitive Jenkins credentials that are stored within the system. Proper access controls and mitigations should be implemented to protect against such vulnerabilities.

Affected Version(s)

Jenkins Docker Plugin 1.1.6 and earlier

References

http://www.openwall.com/lists/oss-security/2019/07/11/4
mailing-listx_refsource_MLIST
http://www.securityfocus.com/bid/109156
vdb-entryx_refsource_BID
https://jenkins.io/security/advisory/2019-07-11/#SECURITY...
x_refsource_CONFIRM

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.