oss-sec mailing list archives
Re: Multiple vulnerabilities in Jenkins plugins
From: Daniel Beck <ml () beckweb net>
Date: Mon, 25 Mar 2019 17:17:44 +0100
On 25. Mar 2019, at 16:09, Daniel Beck <ml () beckweb net> wrote: SECURITY-976 Notification Plugin Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.
Correction: This is about Slack Notification Plugin.
Current thread:
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Jan 28)
- Re: Multiple vulnerabilities in Jenkins plugins Daniel Beck (Feb 06)
- <Possible follow-ups>
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Feb 19)
- Re: Multiple vulnerabilities in Jenkins plugins Daniel Beck (Feb 23)
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Mar 06)
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Mar 25)
- Re: Multiple vulnerabilities in Jenkins plugins Daniel Beck (Mar 25)
- Re: Multiple vulnerabilities in Jenkins plugins Daniel Beck (Mar 28)