CVE-2018-1999038 — Jenkins Publisher Over CIFS Plugin confused deputy vulnerability

Description

A confused deputy vulnerability exists in Jenkins Publisher Over CIFS Plugin 0.10 and earlier in CifsPublisherPluginDescriptor.java that allows attackers to have Jenkins connect to an attacker specified CIFS server with attacker specified credentials. Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability. As of version 0.11, this form validation method requires POST requests and Overall/Administer permissions.

How to fix CVE-2018-1999038

To remediate CVE-2018-1999038, upgrade the affected package to a fixed version below.

—upgrade to 0.11 or later

Is CVE-2018-1999038 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 0.11

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.2	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-1999038
PATCHgithub.com/jenkinsci/publish-over-cifs-plugin
WEBgithub.com/jenkinsci/publish-over-cifs-plugin/commit/9402d8c1044508c2fc30a5dd1e34afe6819616a0
WEBjenkins.io/security/advisory/2018-07-30/#SECURITY-975