PT-2018-15216 · Jenkins · Jenkins Resource Disposer Plugin+1

Viktor Gazdag

Published

2018-08-01

Updated

2022-05-14

CVE-2018-1999037

CVSS v2.0

4.0

Medium

Vector

AV:N/AC:L/Au:S/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions Jenkins Resource Disposer Plugin versions 0.11 and earlier

Description A data modification issue exists that allows attackers to stop tracking a specified resource. This is related to the AsyncResourceDisposer.java file. Additionally, a CSRF issue was identified due to an API endpoint not requiring POST requests.

Recommendations For Jenkins Resource Disposer Plugin versions 0.11 and earlier, update to version 0.12 or later, which requires POST requests and Overall/Administer permissions for the affected API endpoint.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2018-1999037

GHSA-63JG-5WV6-7GHV

Affected Products

Jenkins

Jenkins Resource Disposer Plugin

PT-2018-15216 · Jenkins · Jenkins Resource Disposer Plugin+1

CVE-2018-1999037

Weakness Enumeration

Related Identifiers

Affected Products

References · 6