CVE-2019-10409

Vulnerability

CVE-2019-10409 is a missing permission check in the Jenkins Project Inheritance Plugin versions 2.0.0 and earlier. The plugin fails to verify that users have the necessary authorization to trigger project generation from templates, relying only on the presence of Overall/Read permission [1][3].

Exploitation

An attacker with only Overall/Read permission, which is the lowest access level in Jenkins, can exploit this flaw by sending a crafted request to generate projects from pre-defined templates. The attack requires no special privileges beyond the default read access [1].

Impact

Successful exploitation allows the attacker to create arbitrary projects based on templates without proper authorization. This bypasses intended access controls that should restrict project generation to more privileged users, potentially leading to unauthorized configuration changes or information disclosure [1].

Mitigation

Jenkins released Project Inheritance Plugin version 19.08.02 which fixes the missing permission check by adding a proper authorization check before allowing project generation [2]. Users should upgrade to this version or later. No workarounds are mentioned, but the plugin is now corrected.