GHSA-7wxc-7qrg-rg6w

Опубликовано: 24 мая 2022

Источник: github

Github: Прошло ревью

CVSS3: 4.2

Описание

Jenkins JClouds Plugin missing permission check

Jenkins JClouds Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.

This form validation method now requires POST requests and Overall/Administer permission.

Ссылки

Пакеты

Наименование

org.jenkins-ci.plugins:jclouds-jenkins

maven

Затронутые версииВерсия исправления

<= 2.14

2.15

EPSS

Процентиль: 21%

0.00068

Низкий

4.2 Medium

CVSS3

CVE ID

CVE-2019-10369

Дефекты

CWE-862

Связанные уязвимости

CVE-2019-10369

CVSS3: 6.5

nvd

больше 6 лет назад

A missing permission check in Jenkins JClouds Plugin 2.14 and earlier in BlobStoreProfile.DescriptorImpl#doTestConnection and JCloudsCloud.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

EPSS

Процентиль: 21%

0.00068

Низкий

4.2 Medium

CVSS3

CVE ID

CVE-2019-10369

Дефекты

CWE-862