CVE-2019-16576

The Alauda Kubernetes Support Plugin for Jenkins up to version 2.3.0 contains a missing permission check in a method that allows connecting to arbitrary URLs using attacker-specified credentials IDs. This flaw stems from insufficient authorization enforcement, enabling users with only Overall/Read permission to trigger connections to external endpoints controlled by the attacker [1][3].

To exploit this vulnerability, an attacker must first obtain credentials IDs through another method (e.g., cross-site scripting or other information disclosure). With Overall/Read permission, the attacker can then cause the plugin to connect to a malicious URL, passing the chosen credentials. The connection is made from the Jenkins controller, potentially exposing sensitive information in transit or allowing the attacker to capture the response [1][3].

The impact includes the compromise of the Kubernetes service account token or any Jenkins-stored credentials used in the crafted request. An attacker could exfiltrate these secrets, leading to lateral movement within Kubernetes clusters or further compromise of Jenkins pipelines and integrations [1][3].

As of the advisory publication date, no fix has been provided; the vulnerability remains unpatched. Administrators are advised to restrict Overall/Read permission to trusted users and monitor for suspicious network connections originating from the Jenkins controller [1]. No workaround is documented.