CVE-2019-16575

Vulnerability

Overview

A cross-site request forgery (CSRF) vulnerability exists in the Jenkins Alauda Kubernetes Support Plugin versions 2.3.0 and earlier. The plugin fails to require that HTTP requests for certain actions are made via POST, allowing an attacker to craft a malicious link or page that, when visited by an authenticated Jenkins user, triggers an unintended action [1]. This lack of CSRF protection enables the attacker to make the victim's browser send a crafted request to the Jenkins server, exploiting the user's authenticated session [2].

Exploitation and

Attack Vector

The vulnerability allows an attacker to connect to a URL of their choice using attacker-specified credentials IDs. To exploit this, the attacker must first obtain valid credentials IDs through another method (e.g., via a separate vulnerability or information disclosure). The attacker then crafts a CSRF attack that causes an authenticated Jenkins user to send a request with those credentials to an attacker-controlled server [1][2]. The plugin's API endpoint does not validate the origin of the request, nor does it require a CSRF token, making the attack straightforward to execute once the prerequisite credentials IDs are known [3].

Impact

If successfully exploited, an attacker can intercept the Kubernetes service account token or other credentials stored in Jenkins. This could allow the attacker to gain unauthorized access to the Kubernetes cluster or other systems that the compromised credentials protect, potentially leading to lateral movement, data exfiltration, or further compromise of the Jenkins environment [1][3].

Mitigation

Status

As of the advisory publication date (2019-12-17), no fix was available for this plugin; it remains an unresolved security vulnerability [1][2]. Users are advised to either disable the plugin if not in use, restrict access to the Jenkins instance, or implement additional network-level protections to mitigate the risk of CSRF attacks [1][2][3].