Cross-Site Request Forgery (CSRF) Affecting io.alauda.jenkins.plugins:alauda-kubernetes-support package, versions [0,]

  • Attack Complexity


  • User Interaction


Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id


  • published

    20 Dec 2019

  • disclosed

    17 Dec 2019

  • credit

    Viktor Gazdag NCC Group

How to fix?

There is no fixed version for io.alauda.jenkins.plugins:alauda-kubernetes-support.


io.alauda.jenkins.plugins:alauda-kubernetes-support is a plugin for Jenkins.

Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF). The package does not require POST requests on a connection test method, resulting in a CSRF vulnerability. This allows attackers to have Jenkins connect to Kubernetes-related paths on an attacker-specified web server using attacker-specified credentials IDs obtained through another method, capturing 'Secret Text' credentials stored in Jenkins.

Additionally, if no credentials ID is specified, the connection uses the default Kubernetes token from /var/run/secrets/