CVE-2018-1999038 – org.jenkins-ci.plugins:publish-over-cifs

Package

Manager: maven
Name: org.jenkins-ci.plugins:publish-over-cifs
Vulnerable Version: >=0 <0.11

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00031 pctl0.07238

Details

Jenkins Publisher Over CIFS Plugin confused deputy vulnerability A confused deputy vulnerability exists in Jenkins Publisher Over CIFS Plugin 0.10 and earlier in CifsPublisherPluginDescriptor.java that allows attackers to have Jenkins connect to an attacker specified CIFS server with attacker specified credentials. Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability. As of version 0.11, this form validation method requires POST requests and Overall/Administer permissions.

Metadata

Created: 2022-05-14T02:21:29Z
Modified: 2022-12-12T16:29:27Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-rf7h-9m85-535v/GHSA-rf7h-9m85-535v.json
CWE IDs: ["CWE-441"]
Alternative ID: GHSA-rf7h-9m85-535v
Finding: F332
Auto approve: 1