Jenkins jx-resources Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified Kubernetes server and obtain information about an attacker-specified namespace. Doing so might also leak service account credentials used for the connection. Additionally, it allowed attackers to obtain the value of any attacker-specified environment variable for the Jenkins controller process.
Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.
This form validation method now requires POST requests and Overall/Administer permissions.
{ "nvd_published_at": "2019-06-11T14:29:00Z", "cwe_ids": [ "CWE-862" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-10-26T22:27:39Z" }