CVE-2018-1999027

Name of the Vulnerable Software and Affected Versions Jenkins SaltStack Plugin versions 3.1.6 and earlier

Description An exposure of sensitive information issue exists in the Jenkins SaltStack Plugin, specifically in SaltAPIBuilder.java and SaltAPIStep.java. This allows attackers to capture credentials with a known credentials ID stored in Jenkins. The plugin did not perform permission checks on methods implementing form validation, enabling users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs. This also allowed attackers to cause Jenkins to submit HTTP requests to attacker-specified URLs. Furthermore, the form validation methods were vulnerable to CSRF as they did not require POST requests.

Recommendations For Jenkins SaltStack Plugin versions 3.1.6 and earlier, update to version 3.1.7 or later, which requires POST requests and Overall/Administer permissions for the form validation methods, mitigating the issue. As a temporary workaround, consider restricting access to the SaltAPIBuilder.java and SaltAPIStep.java classes to minimize the risk of exploitation. Additionally, restrict Overall/Read access to Jenkins to prevent unauthorized users from connecting to attacker-specified URLs.