GHSA-rf7h-9m85-535v

Source

https://github.com/advisories/GHSA-rf7h-9m85-535v

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-rf7h-9m85-535v/GHSA-rf7h-9m85-535v.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-rf7h-9m85-535v

Aliases

CVE-2018-1999038

Published

2022-05-14T02:21:29Z

Modified

2024-01-02T05:51:42.339419Z

Severity

4.2 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

Jenkins Publisher Over CIFS Plugin confused deputy vulnerability

Details

A confused deputy vulnerability exists in Jenkins Publisher Over CIFS Plugin 0.10 and earlier in CifsPublisherPluginDescriptor.java that allows attackers to have Jenkins connect to an attacker specified CIFS server with attacker specified credentials. Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability. As of version 0.11, this form validation method requires POST requests and Overall/Administer permissions.

Database specific

{
    "nvd_published_at": "2018-08-01T13:29:00Z",
    "cwe_ids": [
        "CWE-441"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-12T16:29:27Z"
}

References

Affected packages

Maven / org.jenkins-ci.plugins:publish-over-cifs

Package

Name: org.jenkins-ci.plugins:publish-over-cifs; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/publish-over-cifs

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.11

Affected versions

0.*

0.2

0.3

0.5

0.6

0.9

0.10

Database specific

{
    "last_known_affected_version_range": "<= 0.10"
}