CVE-2019-10293

Vulnerability

Overview

CVE-2019-10293 affects the Jenkins Kmap Plugin (kmap-jenkins). A missing permission check in the KmapJenkinsBuilder.DescriptorImpl form validation methods allows any user with Overall/Read permission to exploit this flaw [1][3]. The root cause is the absence of a required Jenkins#checkPermission call, which would normally restrict such operations to users with a higher privilege level.

Exploitation

Prerequisites

Attackers need only Overall/Read permission on the Jenkins instance, which is typically granted to most authenticated users or even anonymous users if configured. No additional authentication is required beyond that. The plugin does not validate the user's authority when processing form validation requests, making it trivial to trigger [2].

Impact

A successful exploitation allows an attacker to initiate a connection to an attacker-specified server. While this does not directly expose Jenkins credentials or data, it can be used for network scanning, internal reconnaissance, or as part of a larger chain to exfiltrate information or launch further attacks [1][3].

Mitigation

The vulnerability was addressed in the Jenkins Security Advisory 2019-04-03. Users should update the Kmap Plugin to a version that includes the proper permission check. No workarounds are mentioned, so upgrading is the recommended course of action [1].