CVE-2019-16574

Vulnerability

Description

The Alauda DevOps Pipeline Plugin for Jenkins, versions 2.3.2 and earlier, contains a missing permission check vulnerability [1][2][3]. The plugin fails to verify that a user has appropriate permissions before allowing them to initiate connections to external URLs using credentials stored in Jenkins. This flaw exists in a feature that presumably connects to external services, but does not enforce authorization beyond the basic Overall/Read permission.

Exploitation and

Attack Surface

An attacker with only the Overall/Read permission (the lowest level of access in Jenkins) can exploit this vulnerability [1][2]. The attacker can specify an arbitrary URL to connect to and provide credentials IDs obtained through another method (e.g., by enumerating credentials via a separate vulnerability or by reading configuration files). No further authentication or administrative privileges are required. The attack can be launched from a low-privileged user account within Jenkins.

Impact

Successful exploitation allows the attacker to have the Jenkins controller connect to an attacker-controlled URL using the selected credentials [1][3]. This process can capture the credentials stored in Jenkins, effectively leaking them to the attacker. The captured credentials could include passwords, API tokens, SSH keys, or other secrets that Jenkins uses for integration with other systems. This can lead to further compromise of connected services and the Jenkins environment itself.

Mitigation

Status

As of the advisory date (2019-12-17), no fix has been released for the Alauda DevOps Pipeline Plugin [1][2]. The plugin is listed among those with unresolved security issues. Users are advised to either remove or disable the plugin if it is not required, or restrict access to Jenkins to trusted users only until a patched version is available.