[JENKINS:SECURITY-975] CSRF vulnerability and missing permission checks in Publish Over CIFS Plugin

Severity Medium

Affected Packages 2

Fixed Packages 2

CVEs 1

Publish Over CIFS Plugin did not perform permission checks on a method implementing form validation.
This allowed users with Overall/Read access to Jenkins to initiate CIFS connections to an attacker specified host.

Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.

This form validation method now requires POST requests and Overall/Administer permissions.

Package	Affected Version
pkg:maven/org.jenkins-ci.plugins/publish-over-cifs	<= 0.10
pkg:github/jenkinsci/publish-over-cifs-plugin	<= 0.10

Package	Fixed Version
pkg:maven/org.jenkins-ci.plugins/publish-over-cifs	= 0.11
pkg:github/jenkinsci/publish-over-cifs-plugin	= 0.11

ID

JENKINS:SECURITY-975

Severity

medium

Published

2018-07-30T00:00:00
(6 years ago)

Modified

2018-07-30T00:00:00
(6 years ago)

Rights

Jenkins Security Team

Other Advisories

MAVEN:GHSA-RF7H-9M85-535V

Source	# ID	Name	URL
Plugin repository		publish-over-cifs repository	https://github.com/jenkinsci/publish-over-cifs-plugin

Type	Package URL	Namespace	Name / Product	Version
Affected	pkg:maven/org.jenkins-ci.plugins/publish-over-cifs	org.jenkins-ci.plugins	publish-over-cifs	<= 0.10
Fixed	pkg:maven/org.jenkins-ci.plugins/publish-over-cifs	org.jenkins-ci.plugins	publish-over-cifs	= 0.11
Affected	pkg:github/jenkinsci/publish-over-cifs-plugin	jenkinsci	publish-over-cifs-plugin	<= 0.10
Fixed	pkg:github/jenkinsci/publish-over-cifs-plugin	jenkinsci	publish-over-cifs-plugin	= 0.11

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date