Cross-site Request Forgery (CSRF)

Affecting org.jenkins-ci.plugins:jclouds-jenkins artifact, versions [,2.15)

Do your applications use this vulnerable package? Test your applications

Overview

org.jenkins-ci.plugins:jclouds-jenkins is a plugin that uses JClouds to provide slave launching on most of the currently usable Cloud infrastructures.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). The plugin does not perform permission checks on a method implementing form validation. This form validation method did not require POST requests. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Remediation

Upgrade org.jenkins-ci.plugins:jclouds-jenkins to version 2.15 or higher.

References

CVSS Score

4.2
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    None
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Credit
Oleg Nenashev, CloudBees, Inc., and, independently, Viktor Gazdag NCC Group
CVE
CVE-2019-10368 CVE-2019-10369
CWE
CWE-352
Snyk ID
SNYK-JAVA-ORGJENKINSCIPLUGINS-458739
Disclosed
07 Aug, 2019
Published
08 Aug, 2019