Description

A confused deputy vulnerability exists in Jenkins Publisher Over CIFS Plugin 0.10 and earlier in CifsPublisherPluginDescriptor.java that allows attackers to have Jenkins connect to an attacker specified CIFS server with attacker specified credentials.

Remediation

References

https://jenkins.io/security/advisory/2018-07-30/#SECURITY-975

Related Vulnerabilities

CVE-2020-1933 Vulnerability in maven package org.apache.nifi:nifi-web-api

CVE-2020-2183 Vulnerability in maven package org.jenkins-ci.plugins:copyartifact

CVE-2022-45146 Vulnerability in maven package org.bouncycastle:bc-fips-debug

CVE-2023-24436 Vulnerability in maven package org.jenkins-ci.plugins:ghprb

CVE-2022-31160 Vulnerability in maven package org.webjars.bowergithub.jquery:jquery-ui

Severity

Medium

Classification

CWE-441 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Tags

Vendor Advisory