[JCLOUDS-1536] SECURITY-1482 / CVE-2019-10368 (CSRF), CVE-2019-10369 (permission check) - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Blocker
Resolution: Invalid
Affects Version/s: 1.9.1
Fix Version/s: None
Component/s: None
Labels:
None

Description

SECURITY-1482 / CVE-2019-10368 (CSRF), CVE-2019-10369 (permission check)
JClouds Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.

Has the problem been fixed？If the problem has been fixed, please tell me the "commitid" for fixed version.Thanks

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: xingyunyang

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 07/Jan/20 00:46

Updated:: 07/Jan/20 10:11

Resolved:: 07/Jan/20 10:11