4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-10445

GHSA ID

GHSA-wwr4-79jv-297r

EPSS Score

0.07093%

CWE

CWE-862

Published

5/24/2022

Updated

1/31/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-10445

CVE-2019-10445: Missing permission checks in Google Kubernetes Engine Jenkins Plugin

A missing permission check in Jenkins Google Kubernetes Engine Plugin Prior to version 0.7.1 allows attackers with Overall/Read permission to obtain limited information about the scope of a credential with an attacker-specified credentials ID. This issue is patched in version 0.7.1

(GitHub Advisory)

4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-10445

GHSA ID

GHSA-wwr4-79jv-297r

EPSS Score

0.07093%

CWE

CWE-862

Published

5/24/2022

Updated

1/31/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:google-kubernetes-engine	maven	< 0.7.1	0.7.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing Job/Configure permission checks on credential validation endpoints. Jenkins plugins typically implement credential validation through Descriptor#doCheck* methods and builder classes. The advisory specifically mentions credential scope disclosure via attacker-controlled IDs, which aligns with credential validation patterns in Jenkins plugins. The high confidence comes from: 1) The CWE-862 classification indicating missing authorization 2) The pattern of credential validation endpoints being common attack surfaces 3) The plugin's purpose (K8s credential management) requiring these functions 4) The patch requiring Job/Configure permission matches typical fixes for such endpoints

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* missin* p*rmission ****k in J*nkins *oo*l* Ku**rn*t*s *n*in* Plu*in Prior to v*rsion *.*.* *llows *tt**k*rs wit* Ov*r*ll/R*** p*rmission to o*t*in limit** in*orm*tion **out t** s*op* o* * *r***nti*l wit* *n *tt**k*r-sp**i*i** *r***nti*ls I*. T*is i

Reasoning

T** vuln*r**ility st*ms *rom missin* Jo*/*on*i*ur* p*rmission ****ks on *r***nti*l v*li**tion *n*points. J*nkins plu*ins typi**lly impl*m*nt *r***nti*l v*li**tion t*rou** `**s*riptor#*o****k*` m*t*o*s *n* *uil**r *l*ss*s. T** **visory sp**i*i**lly m*

4.3

Basic Information

Concerned about an active attack path?

CVE-2019-10445: Missing permission checks in Google Kubernetes Engine Jenkins Plugin

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI