Description

A confused deputy vulnerability exists in Jenkins Publisher Over CIFS Plugin 0.10 and earlier in CifsPublisherPluginDescriptor.java that allows attackers to have Jenkins connect to an attacker specified CIFS server with attacker specified credentials.

Remediation

References

https://jenkins.io/security/advisory/2018-07-30/#SECURITY-975

Related Vulnerabilities

CVE-2023-36469 Vulnerability in maven package org.xwiki.platform:xwiki-platform-notifications-ui

CVE-2022-41937 Vulnerability in maven package org.xwiki.platform:xwiki-platform-filter-ui

CVE-2023-49674 Vulnerability in maven package io.jenkins.plugins:neuvector-vulnerability-scanner

CVE-2021-21655 Vulnerability in maven package org.jenkins-ci.plugins:p4

CVE-2020-11023 Vulnerability in maven package org.webjars:jquery

Severity

Medium

Classification

CWE-441 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Tags

Vendor Advisory