PT-2018-9355 · Jenkins · Jenkins Github Pull Request Builder Plugin+1

Thomas De Grenier De Latour

Publicado

2018-06-05

Atualizado

2022-05-14

CVE-2018-1000186

CVSS v3.1

6.5

Média

Vetor

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Jenkins GitHub Pull Request Builder Plugin versions 1.41.0 and older

Description A sensitive information exposure issue exists, allowing attackers with Overall/Read access to connect to a specified URL using attacker-specified credentials IDs, potentially capturing stored credentials in Jenkins. Additionally, form validation methods were vulnerable to CSRF attacks due to not requiring POST requests.

Recommendations For Jenkins GitHub Pull Request Builder Plugin versions 1.41.0 and older, update to version 1.42.0 or newer, which requires POST requests and Overall/Administer permissions for form validation methods, mitigating the issue.

Correção

Information Disclosure

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-200

Identificadores relacionados

CVE-2018-1000186

GHSA-92RV-MVMJ-47QH

Produtos afetados

Jenkins

Jenkins Github Pull Request Builder Plugin

PT-2018-9355 · Jenkins · Jenkins Github Pull Request Builder Plugin+1

CVE-2018-1000186

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 7