{"id":"GHSA-hch9-6qrj-5f49","summary":"Jenkins Kubernetes CI/CD Plugin vulnerable to Improper Authorization","details":"A missing permission check in Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.\n\n## Note: Jenkins has suspended distribution of this plugin.","aliases":["CVE-2019-10469"],"modified":"2024-02-18T05:31:55.792714Z","published":"2022-05-24T16:59:36Z","database_specific":{"github_reviewed":true,"github_reviewed_at":"2022-12-06T21:29:48Z","severity":"MODERATE","nvd_published_at":"2019-10-23T13:15:00Z","cwe_ids":["CWE-276","CWE-285"]},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-10469"},{"type":"PACKAGE","url":"https://github.com/jenkinsci/kubernetes-ci-plugin"},{"type":"WEB","url":"https://jenkins.io/security/advisory/2019-10-23/#SECURITY-1005%20(1)"},{"type":"WEB","url":"https://plugins.jenkins.io/kubernetes-ci"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2019/10/23/2"}],"affected":[{"package":{"name":"com.elasticbox.jenkins-ci.plugins:kubernetes-ci","ecosystem":"Maven","purl":"pkg:maven/com.elasticbox.jenkins-ci.plugins/kubernetes-ci"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"1.3"}]}],"versions":["1.0","1.1","1.2","1.3"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-hch9-6qrj-5f49/GHSA-hch9-6qrj-5f49.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}