Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02dzNoLXZxN20tdjNxZs4AATng
Jenkins Black Duck Detect Plugin information exposure vulnerability
Jenkins Black Duck Detect Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins, and to cause Jenkins to submit HTTP requests to attacker-specified URLs.
Additionally, these form validation methods did not require POST requests, resulting in a CSRF vulnerability.
These form validation methods now require POST requests and Overall/Administer permissions.
Permalink: https://github.com/advisories/GHSA-6w3h-vq7m-v3qfJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02dzNoLXZxN20tdjNxZs4AATng
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: 4 months ago
CVSS Score: 6.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-6w3h-vq7m-v3qf, CVE-2018-1000191
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-1000191
- https://jenkins.io/security/advisory/2018-06-04/#SECURITY-866
- https://github.com/jenkinsci/synopsys-detect-plugin/commit/0da415d793e39f2ed3ec0fec5955485904d7175b
- https://plugins.jenkins.io/blackduck-detect/
- https://github.com/advisories/GHSA-6w3h-vq7m-v3qf
Blast Radius: 1.0
Affected Packages
maven:com.synopsys.integration:synopsys-detect
Affected Version Ranges: < 1.4.1Fixed in: 1.4.1