Missing Permission Check in Jenkins Docker Plugin Allows Unauthorized Access
CVE-2019-10341

6.5MEDIUM

Key Information:

Vendor
Jenkins
Status
Jenkins Docker Plugin
Vendor
CVE Published:
11 July 2019

Summary

A vulnerability in the Jenkins Docker Plugin allows users with Overall/Read access to connect to a specified URL using attacker-provided credentials. This omission in permission checks can lead to the exposure of sensitive stored credentials within Jenkins. By exploiting this weakness, attackers can gain unauthorized access to Jenkins environments, compromising the integrity and confidentiality of the system. Users are advised to review their plugin versions and ensure they update to patched releases to mitigate this risk.

Affected Version(s)

Jenkins Docker Plugin 1.1.6 and earlier

References

http://www.openwall.com/lists/oss-security/2019/07/11/4
mailing-listx_refsource_MLIST
http://www.securityfocus.com/bid/109156
vdb-entryx_refsource_BID
https://jenkins.io/security/advisory/2019-07-11/#SECURITY...
x_refsource_CONFIRM

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.