Description

A confused deputy vulnerability exists in Jenkins Publisher Over CIFS Plugin 0.10 and earlier in CifsPublisherPluginDescriptor.java that allows attackers to have Jenkins connect to an attacker specified CIFS server with attacker specified credentials.

Remediation

References

https://jenkins.io/security/advisory/2018-07-30/#SECURITY-975

Related Vulnerabilities

CVE-2023-35161 Vulnerability in maven package org.xwiki.platform:xwiki-platform-appwithinminutes-ui

CVE-2022-36888 Vulnerability in maven package com.datapipe.jenkins.plugins:hashicorp-vault-plugin

CVE-2023-32070 Vulnerability in maven package org.xwiki.rendering:xwiki-rendering-xml

CVE-2016-10726 Vulnerability in maven package org.dspace:dspace-xmlui

CVE-2017-3159 Vulnerability in maven package org.apache.camel:camel-snakeyaml

Severity

Medium

Classification

CWE-441 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Tags

Vendor Advisory