CVE-2019-10368 : Security Advisory and Response

A vulnerability in versions of Jenkins JClouds Plugin up to 2.14 allowed attackers to establish connections to a URL specified by an attacker, potentially compromising sensitive credentials stored in Jenkins.

Understanding CVE-2019-10368

This CVE identifies a cross-site request forgery vulnerability in Jenkins JClouds Plugin versions up to 2.14.

What is CVE-2019-10368?

This vulnerability enabled users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, potentially leading to the capture of credentials stored in Jenkins.

The Impact of CVE-2019-10368

The vulnerability could be exploited by malicious actors to access sensitive credentials stored in Jenkins, posing a significant security risk to affected systems.

Technical Details of CVE-2019-10368

Jenkins JClouds Plugin versions up to 2.14 were affected by this vulnerability.

Vulnerability Description

The vulnerability resided in BlobStoreProfile.DescriptorImpl#doTestConnection and JCloudsCloud.DescriptorImpl#doTestConnection components, allowing unauthorized users to establish connections to specified URLs.

Affected Systems and Versions

Product: Jenkins JClouds Plugin
Vendor: Jenkins project
Versions: 2.14 and earlier

Exploitation Mechanism

Attackers with Overall/Read access could connect to an attacker-specified URL using attacker-specified credentials IDs acquired through alternative means.

Mitigation and Prevention

Taking immediate steps and implementing long-term security practices are crucial to mitigate the risks associated with CVE-2019-10368.

Immediate Steps to Take

Update Jenkins JClouds Plugin to a patched version.
Monitor and restrict access to sensitive credentials.

Long-Term Security Practices

Regularly review and update security configurations.
Educate users on secure credential management practices.

Patching and Updates

Apply security patches and updates promptly to address known vulnerabilities.