CVE-2017-1000085

Name of the Vulnerable Software and Affected Versions Subversion Plugin versions prior to 2.9

Description The Subversion Plugin has a functionality that connects to a user-specified Subversion repository as part of form validation. This functionality improperly checked permissions, allowing any user with Item/Build permission to connect to any web server or Subversion server and send credentials with a known ID, thereby possibly capturing them. Additionally, this functionality did not require POST requests be used, thereby allowing the above to be performed without direct access to Jenkins via Cross-Site Request Forgery attacks.

Recommendations For versions prior to 2.9, update to version 2.9 or later, which properly checks permissions and is only available via POST. As a temporary workaround, consider restricting access to the Subversion Plugin functionality to minimize the risk of exploitation.