Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04dmc3LWdoNzMtODY2ds4AASyP
Jenkins Accurev Plugin CSRF vulnerability and missing permission checks
An exposure of sensitive information vulnerability exists in Jenkins Accurev Plugin 0.7.16 and earlier in AccurevSCM.java that allows attackers to capture credentials with a known credentials ID stored in Jenkins.
Permalink: https://github.com/advisories/GHSA-8vg7-gh73-866vJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04dmc3LWdoNzMtODY2ds4AASyP
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 4 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-8vg7-gh73-866v, CVE-2018-1999028
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-1999028
- https://jenkins.io/security/advisory/2018-07-30/#SECURITY-1021
- https://github.com/jenkinsci/accurev-plugin/commit/a86e05f7747b8f7d483f61a840cfb7a1a0105eee
- https://github.com/advisories/GHSA-8vg7-gh73-866v
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins:accurev
Affected Version Ranges: <= 0.7.16Fixed in: 0.7.17