xingyunyang created JCLOUDS-1536: ------------------------------------ Summary: SECURITY-1482 / CVE-2019-10368 (CSRF), CVE-2019-10369 (permission check) Key: JCLOUDS-1536 URL: https://issues.apache.org/jira/browse/JCLOUDS-1536 Project: jclouds Issue Type: Bug Affects Versions: 1.9.1 Reporter: xingyunyang
*SECURITY-1482 / CVE-2019-10368 (CSRF), CVE-2019-10369 (permission check)* JClouds Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability. Has the problem been fixed?If the problem has been fixed, please tell me the "commitid" for fixed version.Thanks -- This message was sent by Atlassian Jira (v8.3.4#803005)