VYPR
← All advisories
High severityNVD Advisory· Published Aug 1, 2018· Updated Sep 17, 2024

CVE-2018-1999040

CVE-2018-1999040

Description

Jenkins Kubernetes Plugin 1.10.1 and earlier exposes credentials to attackers with a known credentials ID via a form validation endpoint that lacked POST enforcement.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins Kubernetes Plugin 1.10.1 and earlier exposes credentials to attackers with a known credentials ID via a form validation endpoint that lacked POST enforcement.

Vulnerability

An exposure of sensitive information vulnerability exists in the Jenkins Kubernetes Plugin versions 1.10.1 and earlier, in the KubernetesCloud.java source file. The vulnerability allows attackers with a known credentials ID to capture those credentials because the doTestConnection and doFillCredentialsIdItems form validation methods did not require POST requests and lacked permission checks. This means any user with Overall/Read access could invoke these methods. [1][2][3]

Exploitation

An attacker needs only a known credentials ID (e.g., from an existing job configuration or other enumeration) and network access to the Jenkins instance. The attacker can craft a GET request to the vulnerable form validation endpoints, such as doTestConnection or doFillCredentialsIdItems, and the plugin will return the credential values in the response. No authentication beyond a session with Overall/Read access is required, and no user interaction is needed. [1][2][3]

Impact

Successful exploitation leads to the disclosure of stored credentials, which may include SSH keys, API tokens, or other sensitive authentication material. The attacker gains access to these secrets, potentially allowing further lateral movement or compromise of external systems that Jenkins connects to. The scope is limited to credentials stored in Jenkins that the attacker already knows the ID for. [1][2]

Mitigation

The vulnerability is fixed in Jenkins Kubernetes Plugin version 1.10.2, released on 2018-07-30. The fix adds the @RequirePOST annotation to enforce POST requests and includes permission checks (Jenkins.ADMINISTER) on the vulnerable endpoints. Users should upgrade to version 1.10.2 or later. If upgrade is not possible, ensure that only trusted users have Overall/Read access, though this is not a full workaround. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. [1][2][3]

References
  1. Jenkins Security Advisory 2018-07-30
  2. NVD - CVE-2018-1999040
  3. [SECURITY-1016] · jenkinsci/kubernetes-plugin@bf7a478

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.csanchez.jenkins.plugins:kubernetesMaven
< 1.10.21.10.2

Affected products

1

Patches

1
bf7a47847dfb

[SECURITY-1016]

https://github.com/jenkinsci/kubernetes-pluginCarlos SanchezJul 23, 2018via ghsa
commit
2 files changed · +11 0
  • CHANGELOG.md+5 0 modified
    @@ -9,6 +9,11 @@ See the full list of issues at [JIRA](https://issues.jenkins-ci.org/issues/?filt
 
 Preserve resources other than CPU and memory
 
+1.10.2
+------
+
+* Global configuration `testConnection` using GET allows stealing credentials + CSRF [SECURITY-1016](https://issues.jenkins-ci.org/browse/SECURITY-1016)
+
 1.10.1
 -------
  • src/main/java/org/csanchez/jenkins/plugins/kubernetes/KubernetesCloud.java+6 0 modified
    @@ -34,6 +34,7 @@
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.DataBoundSetter;
 import org.kohsuke.stapler.QueryParameter;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 
 import com.cloudbees.plugins.credentials.CredentialsMatchers;
 import com.cloudbees.plugins.credentials.CredentialsProvider;
@@ -589,12 +590,14 @@ public static void addAliases() {
                     org.jenkinsci.plugins.kubernetes.credentials.FileSystemServiceAccountCredential.class);
         }
 
+        @RequirePOST
         public FormValidation doTestConnection(@QueryParameter String name, @QueryParameter String serverUrl, @QueryParameter String credentialsId,
                                                @QueryParameter String serverCertificate,
                                                @QueryParameter boolean skipTlsVerify,
                                                @QueryParameter String namespace,
                                                @QueryParameter int connectionTimeout,
                                                @QueryParameter int readTimeout) throws Exception {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
 
             if (StringUtils.isBlank(name))
                 return FormValidation.error("name is required");
@@ -618,7 +621,9 @@ public FormValidation doTestConnection(@QueryParameter String name, @QueryParame
             }
         }
 
+        @RequirePOST
         public ListBoxModel doFillCredentialsIdItems(@QueryParameter String serverUrl) {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             return new StandardListBoxModel().withEmptySelection() //
                     .withMatching( //
                             CredentialsMatchers.anyOf(
@@ -638,6 +643,7 @@ public ListBoxModel doFillCredentialsIdItems(@QueryParameter String serverUrl) {
 
         }
 
+        @RequirePOST
         public FormValidation doCheckMaxRequestsPerHostStr(@QueryParameter String value) throws IOException, ServletException {
             try {
                 Integer.parseInt(value);

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.