Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1yZjdoLTltODUtNTM1ds4AAVXR

Jenkins Publisher Over CIFS Plugin confused deputy vulnerability

A confused deputy vulnerability exists in Jenkins Publisher Over CIFS Plugin 0.10 and earlier in CifsPublisherPluginDescriptor.java that allows attackers to have Jenkins connect to an attacker specified CIFS server with attacker specified credentials. Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability. As of version 0.11, this form validation method requires POST requests and Overall/Administer permissions.

Permalink: https://github.com/advisories/GHSA-rf7h-9m85-535v
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yZjdoLTltODUtNTM1ds4AAVXR
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: 7 months ago


CVSS Score: 4.2
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Identifiers: GHSA-rf7h-9m85-535v, CVE-2018-1999038
References: Repository: https://github.com/jenkinsci/publish-over-cifs-plugin
Blast Radius: 1.0

Affected Packages

maven:org.jenkins-ci.plugins:publish-over-cifs
Affected Version Ranges: <= 0.10
Fixed in: 0.11