Description

A confused deputy vulnerability exists in Jenkins Publisher Over CIFS Plugin 0.10 and earlier in CifsPublisherPluginDescriptor.java that allows attackers to have Jenkins connect to an attacker specified CIFS server with attacker specified credentials.

Remediation

References

https://jenkins.io/security/advisory/2018-07-30/#SECURITY-975

Related Vulnerabilities

CVE-2018-20677 Vulnerability in maven package org.webjars.bowergithub.jasny:bootstrap

CVE-2023-37963 Vulnerability in maven package io.jenkins.plugins:benchmark-evaluator

CVE-2019-17554 Vulnerability in maven package org.apache.olingo:odata-server-api

CVE-2018-5158 Vulnerability in maven package org.webjars.bowergithub.mozilla:pdfjs-dist

CVE-2021-41303 Vulnerability in maven package org.apache.shiro:shiro-core

Severity

Medium

Classification

CWE-441 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Tags

Vendor Advisory