CVE-2018-1000191 – com.synopsys.integration:synopsys-detect

Package

Manager: maven
Name: com.synopsys.integration:synopsys-detect
Vulnerable Version: >=0 <1.4.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00099 pctl0.28225

Details

Jenkins Black Duck Detect Plugin information exposure vulnerability Jenkins Black Duck Detect Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins, and to cause Jenkins to submit HTTP requests to attacker-specified URLs. Additionally, these form validation methods did not require POST requests, resulting in a CSRF vulnerability. These form validation methods now require POST requests and Overall/Administer permissions.

Metadata

Created: 2022-05-14T01:09:55Z
Modified: 2024-01-05T17:20:26Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-6w3h-vq7m-v3qf/GHSA-6w3h-vq7m-v3qf.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-6w3h-vq7m-v3qf
Finding: F038
Auto approve: 1