Description
A confused deputy vulnerability exists in Jenkins Publisher Over CIFS Plugin 0.10 and earlier in CifsPublisherPluginDescriptor.java that allows attackers to have Jenkins connect to an attacker specified CIFS server with attacker specified credentials.
Remediation
References
https://jenkins.io/security/advisory/2018-07-30/#SECURITY-975
Related Vulnerabilities
CVE-2020-6422 Vulnerability in maven package org.webjars.npm:electron
CVE-2017-1000388 Vulnerability in maven package org.jenkins-ci.plugins:depgraph-view
CVE-2021-25640 Vulnerability in maven package org.apache.dubbo:dubbo
CVE-2020-2232 Vulnerability in maven package org.jenkins-ci.plugins:email-ext
CVE-2021-46363 Vulnerability in maven package info.magnolia:magnolia-core