CVE-2019-10445

Vulnerability

Analysis

The Jenkins Google Kubernetes Engine Plugin up to version 0.7.0 contains a missing permission check vulnerability. The plugin fails to verify proper authorization when handling requests to obtain information about the scope of a credential. This allows an attacker who already has Overall/Read permission to query the plugin for credential scope details using an attacker-specified credentials ID [1][2].

Exploitation

An attacker needs only the low-privilege Overall/Read permission on the Jenkins instance to exploit this flaw. The attacker can send a crafted request to the plugin, specifying a credentials ID of interest. The plugin will respond with limited information about the scope of that credential, even if the attacker should not normally have access to that data [3]. This attack does not require any special network position beyond being able to reach the Jenkins controller.

Impact

Successful exploitation leaks limited information about the scope of credentials stored in Jenkins. While the full credential value is not disclosed, the scope information can aid an attacker in planning further attacks or understanding which credentials might be usable in certain contexts. This is considered a medium-severity information disclosure issue.

Mitigation

The vulnerability is fixed in Google Kubernetes Engine Plugin version 0.7.1 [1][2][4]. Users should upgrade to this version or later. No workaround is available for the affected versions. The Jenkins Security Advisory 2019-10-16 provides the official patch details and coordinates the disclosure with other plugin fixes [1].