PT-2018-15217 · Jenkins · Jenkins Publisher Over Cifs Plugin+1

Viktor Gazdag

Published

2018-08-01

Updated

2022-05-14

CVE-2018-1999038

CVSS v2.0

4.9

Medium

Vector

AV:N/AC:M/Au:S/C:P/I:P/A:N

Name of the Vulnerable Software and Affected Versions Jenkins Publisher Over CIFS Plugin versions 0.10 and earlier

Description A confused deputy issue exists that allows attackers to have Jenkins connect to an attacker-specified CIFS server with attacker-specified credentials. Additionally, a CSRF issue is present due to a form validation method not requiring POST requests.

Recommendations For Jenkins Publisher Over CIFS Plugin versions 0.10 and earlier, update to version 0.11 or later, which requires POST requests and Overall/Administer permissions for the form validation method, addressing both the confused deputy and CSRF issues.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-441

Related Identifiers

CVE-2018-1999038

GHSA-RF7H-9M85-535V

Affected Products

Jenkins

Jenkins Publisher Over Cifs Plugin

PT-2018-15217 · Jenkins · Jenkins Publisher Over Cifs Plugin+1

CVE-2018-1999038

Weakness Enumeration

Related Identifiers

Affected Products

References · 6