Allele Security Alert
ASA-2019-00610, CVE-2019-10470, SECURITY-1005 (2)
Users with Overall/Read access could enumerate credential IDs
Guillermo Sanchez Urien
Jenkins ElasticBox Kubernetes CI/CD Plugin
Jenkins ElasticBox Kubernetes CI/CD Plugin versions up to and including 1.3
Proof of concept
Jenkins ElasticBox Kubernetes CI/CD Plugin provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use.
This functionality does not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those can be used as part of an attack to capture the credentials using another vulnerability.
Oleg Nenashev (CloudBees, Inc)
Jenkins Security Advisory 2019-10-23
Jenkins security advisory
oss-security – Multiple vulnerabilities in Jenkins plugins
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: December 6, 2019