Miggo Logo

CVE-2019-10436: Improper Limitation of a Pathname to a Restricted Directory in Jenkins Google OAuth Credentials Plugin

6.5

CVSS Score
3.1

Basic Information

EPSS Score
0.35925%
Published
5/24/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:google-oauth-pluginmaven<= 0.90.10

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from deprecated getSecretBytesFromFile methods in both JsonServiceAccountConfig and P12ServiceAccountConfig classes. These functions used FileUtils.readFileToByteArray to read arbitrary files based on user-controlled filenames without validating path restrictions or checking RUN_SCRIPTS permissions. The patch removed these methods and centralized the logic in ServiceAccountConfig with an added permission check. The lack of path validation and permission enforcement in the original implementations directly enabled attackers to read any file on the Jenkins master by providing crafted paths.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n *r*itr*ry *il* r*** vuln*r**ility in J*nkins *oo*l* O*ut* *r***nti*ls Plu*in *.* *n* **rli*r *llow** *tt**k*rs **l* to *on*i*ur* jo*s *n* *r***nti*ls in J*nkins to o*t*in t** *ont*nts o* *ny *il* on t** J*nkins m*st*r.

Reasoning

T** vuln*r**ility st*ms *rom **pr***t** `**tS**r*t*yt*s*rom*il*` m*t*o*s in *ot* `JsonS*rvi*****ount*on*i*` *n* `P**S*rvi*****ount*on*i*` *l*ss*s. T**s* *un*tions us** `*il*Utils.r****il*To*yt**rr*y` to r*** *r*itr*ry *il*s **s** on us*r-*ontroll** *