A vulnerability, which was classified as problematic, has been found in Docker Plugin up to 1.1.6 on Jenkins (Virtualization Software). This issue affects the function fillCredentialsIdItems of the component Permission Check. The manipulation with an unknown input leads to a information disclosure vulnerability (Credentials). Using CWE to declare the problem leads to CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Impacted is confidentiality. The summary by CVE is:

A missing permission check in Jenkins Docker Plugin 1.1.6 and earlier in various 'fillCredentialsIdItems' methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.

The weakness was released 07/11/2019 (oss-sec). It is possible to read the advisory at openwall.com. The identification of this vulnerability is CVE-2019-10342 since 03/29/2019. The exploitation is known to be easy. The attack may be initiated remotely. The successful exploitation requires a simple authentication. Technical details of the vulnerability are known, but there is no available exploit. The attack technique deployed by this issue is T1592 according to MITRE ATT&CK.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Entries connected to this vulnerability are available at VDB-137709, VDB-137710, VDB-137715 and VDB-137712. If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Type

• Virtualization Software

Name

• Docker Plugin

Version

• 1.1.0
• 1.1.1
• 1.1.2
• 1.1.3
• 1.1.4
• 1.1.5
• 1.1.6

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion