[org.jenkins-ci.plugins:jira] Jenkins Jira Plugin Incorrect Authorization vulnerability

An improper authorization vulnerability exists in Jenkins Jira Plugin 3.0.1 and earlier in JiraSite.java that allows attackers with Overall/Read access to have Jenkins connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. In version 3.0.2, this form validation method requires POST requests and Overall/Administer (for globally defined sites) or Item/Configure permissions (for sites defined for a folder).

References

https://nvd.nist.gov/vuln/detail/CVE-2018-1000412
https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1029
http://www.securityfocus.com/bid/106532
https://github.com/advisories/GHSA-fpg6-xqj4-j7wf

TechMedia

[org.jenkins-ci.plugins:jira] Jenkins Jira Plugin Incorrect Authorization vulnerability

References

Related

Archives