Details
-
Bug
-
Status: Resolved
-
Blocker
-
Resolution: Invalid
-
1.9.1
-
None
-
None
-
None
Description
SECURITY-1482 / CVE-2019-10368 (CSRF), CVE-2019-10369 (permission check)
JClouds Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.
Has the problem been fixed?If the problem has been fixed, please tell me the "commitid" for fixed version.Thanks