Description

A confused deputy vulnerability exists in Jenkins Publisher Over CIFS Plugin 0.10 and earlier in CifsPublisherPluginDescriptor.java that allows attackers to have Jenkins connect to an attacker specified CIFS server with attacker specified credentials.

Remediation

References

https://jenkins.io/security/advisory/2018-07-30/#SECURITY-975

Related Vulnerabilities

CVE-2017-1000110 Vulnerability in maven package io.jenkins.blueocean:blueocean-parent

CVE-2015-5318 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2019-12418 Vulnerability in maven package org.apache.tomcat:tomcat-catalina

CVE-2023-46655 Vulnerability in maven package org.jenkins-ci.plugins:electricflow

CVE-2014-3600 Vulnerability in maven package org.apache.activemq:activemq-client

Severity

Medium

Classification

CWE-441 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Tags

Vendor Advisory