Jenkins JClouds Plugin missing permission check
Moderate severity
GitHub Reviewed
Published
May 24, 2022
to the GitHub Advisory Database
•
Updated Oct 26, 2023
Package
Affected versions
<= 2.14
Patched versions
2.15
Description
Published by the National Vulnerability Database
Aug 7, 2019
Published to the GitHub Advisory Database
May 24, 2022
Reviewed
Oct 26, 2023
Last updated
Oct 26, 2023
Jenkins JClouds Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.
This form validation method now requires POST requests and Overall/Administer permission.
References