PT-2019-8733 · Jenkins · Jenkins Crowd 2 Integration Plugin

Viktor Gazdag

Published

2019-01-09

Updated

2022-05-14

CVE-2018-1000422

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Jenkins Crowd 2 Integration Plugin versions 2.0.0 and earlier

Description An improper authorization issue exists in the CrowdSecurityRealm.java file, allowing attackers to perform a connection test. This test connects to an attacker-specified server using attacker-specified credentials and connection settings.

Recommendations For Jenkins Crowd 2 Integration Plugin versions 2.0.0 and earlier, consider restricting access to the CrowdSecurityRealm.java file until a patch is available. As a temporary workaround, avoid using the connection test feature in the affected plugin to minimize the risk of exploitation.

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-918

Related Identifiers

CVE-2018-1000422

GHSA-GRMG-5Q49-MQMF

Affected Products

Jenkins Crowd 2 Integration Plugin

PT-2019-8733 · Jenkins · Jenkins Crowd 2 Integration Plugin

CVE-2018-1000422

Weakness Enumeration

Related Identifiers

Affected Products

References · 8