Cross-Site Request Forgery (CSRF) Affecting io.alauda.jenkins.plugins:alauda-kubernetes-support package, versions [0,]


0.0
medium
  • Attack Complexity

    Low

  • User Interaction

    Required

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-JAVA-IOALAUDAJENKINSPLUGINS-538456

  • published

    20 Dec 2019

  • disclosed

    17 Dec 2019

  • credit

    Viktor Gazdag NCC Group

How to fix?

There is no fixed version for io.alauda.jenkins.plugins:alauda-kubernetes-support.

Overview

io.alauda.jenkins.plugins:alauda-kubernetes-support is a plugin for Jenkins.

Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF). The package does not require POST requests on a connection test method, resulting in a CSRF vulnerability. This allows attackers to have Jenkins connect to Kubernetes-related paths on an attacker-specified web server using attacker-specified credentials IDs obtained through another method, capturing 'Secret Text' credentials stored in Jenkins.

Additionally, if no credentials ID is specified, the connection uses the default Kubernetes token from /var/run/secrets/kubernetes.io/serviceaccount/token.