You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@jclouds.apache.org by "xingyunyang (Jira)" <ji...@apache.org> on 2020/01/07 00:47:00 UTC

[jira] [Created] (JCLOUDS-1536) SECURITY-1482 / CVE-2019-10368 (CSRF), CVE-2019-10369 (permission check)

xingyunyang created JCLOUDS-1536:
------------------------------------

             Summary: SECURITY-1482 / CVE-2019-10368 (CSRF), CVE-2019-10369 (permission check) 
                 Key: JCLOUDS-1536
                 URL: https://issues.apache.org/jira/browse/JCLOUDS-1536
             Project: jclouds
          Issue Type: Bug
    Affects Versions: 1.9.1
            Reporter: xingyunyang


*SECURITY-1482 / CVE-2019-10368 (CSRF), CVE-2019-10369 (permission check)* 
JClouds Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.

 

Has the problem been fixed？If the problem has been fixed, please tell me the "commitid" for fixed version.Thanks



--
This message was sent by Atlassian Jira
(v8.3.4#803005)