Jenkins Publisher Over CIFS Plugin confused deputy vulnerability
Moderate severity
GitHub Reviewed
Published
May 14, 2022
to the GitHub Advisory Database
•
Updated Dec 18, 2023
Package
Affected versions
<= 0.10
Patched versions
0.11
Description
Published by the National Vulnerability Database
Aug 1, 2018
Published to the GitHub Advisory Database
May 14, 2022
Reviewed
Dec 12, 2022
Last updated
Dec 18, 2023
A confused deputy vulnerability exists in Jenkins Publisher Over CIFS Plugin 0.10 and earlier in CifsPublisherPluginDescriptor.java that allows attackers to have Jenkins connect to an attacker specified CIFS server with attacker specified credentials. Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability. As of version 0.11, this form validation method requires POST requests and Overall/Administer permissions.
References