Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yZjdoLTltODUtNTM1ds4AAVXR
Jenkins Publisher Over CIFS Plugin confused deputy vulnerability
A confused deputy vulnerability exists in Jenkins Publisher Over CIFS Plugin 0.10 and earlier in CifsPublisherPluginDescriptor.java that allows attackers to have Jenkins connect to an attacker specified CIFS server with attacker specified credentials. Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability. As of version 0.11, this form validation method requires POST requests and Overall/Administer permissions.
Permalink: https://github.com/advisories/GHSA-rf7h-9m85-535vJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yZjdoLTltODUtNTM1ds4AAVXR
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 4 months ago
CVSS Score: 4.2
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Identifiers: GHSA-rf7h-9m85-535v, CVE-2018-1999038
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-1999038
- https://jenkins.io/security/advisory/2018-07-30/#SECURITY-975
- https://github.com/jenkinsci/publish-over-cifs-plugin/commit/9402d8c1044508c2fc30a5dd1e34afe6819616a0
- https://github.com/advisories/GHSA-rf7h-9m85-535v
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins:publish-over-cifs
Affected Version Ranges: <= 0.10Fixed in: 0.11