1. Home
  2. Security Advisories
  3. Jenkins
  4. JENKINS:SECURITY-1067

[JENKINS:SECURITY-1067] Server-side request forgery vulnerability in Crowd 2 Integration Plugin

Severity Medium
Affected Packages 2
Fixed Packages 2
CVEs 1
Info Packages References Vulnerabilities

Crowd 2 Integration Plugin did not perform permission checks on a method implementing form validation.
This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL with attacker-specified credentials and connection settings.

Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.

This form validation method now requires POST requests and Overall/Administer permissions.

Package Affected Version
pkg:maven/org.jenkins-ci.plugins/crowd2 <= 2.0.0
pkg:github/jenkinsci/crowd2-plugin <= 2.0.0
Package Fixed Version
pkg:maven/org.jenkins-ci.plugins/crowd2 = 2.0.1
pkg:github/jenkinsci/crowd2-plugin = 2.0.1
ID
JENKINS:SECURITY-1067
Severity
medium
Published
2018-09-25T00:00:00
(6 years ago)
Modified
2018-09-25T00:00:00
(6 years ago)
Rights
Jenkins Security Team
Other Advisories
Source # ID Name URL
Plugin repository crowd2 repository https://github.com/jenkinsci/crowd2-plugin
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.jenkins-ci.plugins/crowd2 org.jenkins-ci.plugins crowd2 <= 2.0.0
Fixed pkg:maven/org.jenkins-ci.plugins/crowd2 org.jenkins-ci.plugins crowd2 = 2.0.1
Affected pkg:github/jenkinsci/crowd2-plugin jenkinsci crowd2-plugin <= 2.0.0
Fixed pkg:github/jenkinsci/crowd2-plugin jenkinsci crowd2-plugin = 2.0.1
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date