CVE-2019-10365

Vulnerability

Overview

Jenkins Google Kubernetes Engine Plugin creates temporary files in the project workspace during operation. In versions 0.6.2 and earlier, these files contained a short-lived access token used for authentication to Google Kubernetes Engine [1][3]. The token was not stored with proper access controls, relying instead on the default workspace permissions.

Attack

Vector

An attacker authenticated to Jenkins with at least Job/Read permission could access the workspace files of a project that uses the plugin [1]. Because the temporary file resided in the same location as other build artifacts, any user authorized to view the project's workspace could retrieve the token. No additional privileges or cross-site request forgery are required [1][2].

Impact

With the leaked access token, an attacker could impersonate the Jenkins service account for Google Kubernetes Engine. This could allow unauthorized management of GKE clusters, including deploying or modifying workloads, accessing secrets, or escalating privileges within the Kubernetes environment [1].

Mitigation

The Jenkins project released version 0.6.3 of the Google Kubernetes Engine Plugin, which no longer writes the access token to the workspace [2]. All users running versions 0.6.2 or earlier should upgrade immediately. There is no known workaround [1].