PT-2018-18596 · Jenkins · Jenkins Mailer Plugin+1

Kl3_Gmjq6

Published

2018-03-27

Updated

2022-05-14

CVE-2018-8718

CVSS v3.1

8.0

High

Vector

AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Jenkins Mailer Plugin version 1.20

Description A cross-site request forgery issue exists, allowing remote authenticated users to send unauthorized mail as an arbitrary user. This is achieved via a request to the "/descriptorByName/hudson.tasks.Mailer/sendTestMail" API endpoint.

Recommendations For Jenkins Mailer Plugin version 1.20, consider disabling the Mailer Plugin until a patch is available to prevent exploitation. Restrict access to the "/descriptorByName/hudson.tasks.Mailer/sendTestMail" API endpoint to minimize the risk of unauthorized mail being sent.

Exploit

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

CVE-2018-8718

GHSA-6G57-H38C-Q52G

Affected Products

Jenkins

Jenkins Mailer Plugin

PT-2018-18596 · Jenkins · Jenkins Mailer Plugin+1

CVE-2018-8718

Weakness Enumeration

Related Identifiers

Affected Products

References · 8