CVE-2019-10457

Vulnerability

Overview

The Jenkins Oracle Cloud Infrastructure Compute Classic Plugin fails to perform a required permission check in one of its form validation methods. This missing check means that any user with the relatively low-privileged Overall/Read permission is able to trigger the plugin to connect to an attacker-specified URL. The attacker can also supply arbitrary credentials for that connection [1][3].

Exploitation

Details

An attacker who already has Overall/Read access to a Jenkins instance can craft a request that causes the plugin to connect to any URL they choose. The attacker's credentials are used for the connection, which may allow them to capture Jenkins-stored credentials if the attacker controls the target endpoint. No additional permissions are required beyond the default read access [1][2].

Impact

By exploiting this missing permission check, an attacker can use the Jenkins server as a proxy to interact with arbitrary external services. If the attacker controls the destination server, they can capture the credentials that Jenkins sends, potentially compromising other credentials stored in Jenkins. This could lead to lateral movement or further compromise of the Jenkins environment [1][2].

Mitigation

As of the October 2019 security advisory, the vulnerability was unresolved; the vendor noted it as a known issue with no patch released at that time. Users of the Oracle Cloud Infrastructure Compute Classic Plugin should restrict Overall/Read access to trusted users only, or consider disabling the plugin if it is not essential for their workflows [1][2].