Cross-Site Request Forgery in Jenkins FTP Publisher Plugin
CVE-2019-1003058

6.5MEDIUM

Key Information:

Vendor
Jenkins
Status
Jenkins Ftp Publisher Plugin
Vendor
CVE Published:
4 April 2019

Summary

A vulnerability exists in the Jenkins FTP Publisher Plugin that allows attackers to exploit cross-site request forgery. Specifically, through the FTPPublisher.DescriptorImpl#doLoginCheck method, unauthorized users can initiate a connection to a server of their choosing, potentially leading to unauthorized data access or manipulation. It's crucial for users of the affected version to apply recommended patches to mitigate this risk.

Affected Version(s)

Jenkins FTP publisher Plugin all versions as of 2019-04-03

References

http://www.securityfocus.com/bid/107790
vdb-entryx_refsource_BID
http://www.openwall.com/lists/oss-security/2019/04/12/2
mailing-listx_refsource_MLIST
https://jenkins.io/security/advisory/2019-04-03/#SECURITY...
x_refsource_CONFIRM

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.