PT-2019-11324 · Jenkins · Jenkins Octopusdeploy Plugin+1
Thomas De Grenier De Latour
·
Published
2019-02-20
·
Updated
2023-10-25
·
CVE-2019-1003027
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions:
Jenkins OctopusDeploy Plugin versions 1.8.1 and earlier
Description:
A server-side request forgery issue exists that allows attackers with Overall/Read permission to have the server connect to an attacker-specified URL and obtain the HTTP response code if successful, or an exception error message otherwise.
Recommendations:
For Jenkins OctopusDeploy Plugin versions 1.8.1 and earlier, consider restricting access to the OctopusDeployPlugin.java file until a patch is available. As a temporary workaround, limit the Overall/Read permission to minimize the risk of exploitation.
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Octopusdeploy Plugin