Description

A confused deputy vulnerability exists in Jenkins Publisher Over CIFS Plugin 0.10 and earlier in CifsPublisherPluginDescriptor.java that allows attackers to have Jenkins connect to an attacker specified CIFS server with attacker specified credentials.

Remediation

References

https://jenkins.io/security/advisory/2018-07-30/#SECURITY-975

Related Vulnerabilities

CVE-2019-10212 Vulnerability in maven package io.undertow:undertow-core

CVE-2023-28682 Vulnerability in maven package org.jenkins-ci.plugins:perfpublisher

CVE-2020-5408 Vulnerability in maven package org.springframework.security:spring-security-core

CVE-2022-33140 Vulnerability in maven package org.apache.nifi:nifi

CVE-2018-1196 Vulnerability in maven package org.springframework.boot:spring-boot-loader-tools

Severity

Medium

Classification

CWE-441 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Tags

Vendor Advisory