Cross-Site Request Forgery in Jenkins Config File Provider Plugin
CVE-2018-1000414

8.1HIGH

Key Information:

Vendor: Jenkins
Status: Config File Provider
Vendor: CVE Published:; 9 January 2019

Summary

A cross-site request forgery vulnerability in the Jenkins Config File Provider Plugin allows an attacker to create and modify configuration file definitions. This occurs due to insufficient validation in the handling of requests, potentially leading to unauthorized changes to critical configuration settings within Jenkins instances. Users are advised to update to the latest version of the plugin to mitigate associated risks.

References

http://www.securityfocus.com/bid/106532

vdb-entryx_refsource_BID

https://jenkins.io/security/advisory/2018-09-25/#SECURITY...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jan 9, 2019
Vulnerability Reserved
Jan 9, 2019