CVE-2018-1999038 — Jenkins Publisher Over CIFS Plugin confused deputy vulnerability

描述

A confused deputy vulnerability exists in Jenkins Publisher Over CIFS Plugin 0.10 and earlier in CifsPublisherPluginDescriptor.java that allows attackers to have Jenkins connect to an attacker specified CIFS server with attacker specified credentials. Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability. As of version 0.11, this form validation method requires POST requests and Overall/Administer permissions.

如何修補 CVE-2018-1999038

要修補 CVE-2018-1999038,請將受影響套件升級到下列已修補版本。

—升級至 0.11 或更新版本

CVE-2018-1999038 正在被利用嗎?

低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。

受影響套件(1)

from 0, < 0.11

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM4.2	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

參考連結(4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-1999038
PATCHgithub.com/jenkinsci/publish-over-cifs-plugin
WEBgithub.com/jenkinsci/publish-over-cifs-plugin/commit/9402d8c1044508c2fc30a5dd1e34afe6819616a0
WEBjenkins.io/security/advisory/2018-07-30/#SECURITY-975