CVE-2018-1000412

Name of the Vulnerable Software and Affected Versions Jenkins Jira Plugin versions 3.0.1 and earlier

Description An improper authorization issue exists in the JiraSite.java component, allowing attackers with Overall/Read access to connect Jenkins to an attacker-specified URL using attacker-specified credentials IDs. This could lead to the capture of credentials stored in Jenkins.

Recommendations For Jenkins Jira Plugin versions 3.0.1 and earlier, consider updating to version 3.0.2 or later, which requires POST requests and stricter permissions, such as Overall/Administer for globally defined sites or Item/Configure for sites defined for a folder, to mitigate the risk of exploitation.