Missing Permission Check in Jenkins ElasticBox Kubernetes CI/CD Plugin
CVE-2019-10470

6.5MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Elasticbox Jenkins Kubernetes Ci/cd Plugin
Vendor: CVE Published:; 23 October 2019

What is CVE-2019-10470?

The Jenkins ElasticBox Kubernetes CI/CD Plugin exhibits a vulnerability due to a missing permission check in its form-related methods. This flaw allows users with Overall/Read access to potentially enumerate credentials stored within Jenkins. Such exposure could lead to unauthorized access and manipulation of sensitive information, emphasizing the need for proper access controls and security measures within Jenkins plugins.

Affected Version(s)

Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin 1.3 and earlier

References

https://jenkins.io/security/advisory/2019-10-23/#SECURITY...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2019/10/23/2

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 23, 2019
Vulnerability Reserved
Mar 29, 2019