CVE-2018-1000191

Name of the Vulnerable Software and Affected Versions Jenkins Black Duck Detect Plugin versions 1.4.0 and older

Description A sensitive information exposure issue exists, allowing attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs, capturing credentials stored in Jenkins. The vulnerability is due to a lack of permission checks on methods implementing form validation, which also results in a CSRF vulnerability because these methods do not require POST requests.

Recommendations For Jenkins Black Duck Detect Plugin versions 1.4.0 and older, update the plugin to a version that requires Overall/Administer permissions for form validation methods and mandates POST requests to prevent CSRF attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.