xingyunyang created JCLOUDS-1536:
------------------------------------
Summary: SECURITY-1482 / CVE-2019-10368 (CSRF), CVE-2019-10369
(permission check)
Key: JCLOUDS-1536
URL: https://issues.apache.org/jira/browse/JCLOUDS-1536
Project: jclouds
Issue Type: Bug
Affects Versions: 1.9.1
Reporter: xingyunyang
*SECURITY-1482 / CVE-2019-10368 (CSRF), CVE-2019-10369 (permission check)*
JClouds Plugin did not perform permission checks on a method implementing form
validation. This allowed users with Overall/Read access to Jenkins to connect
to an attacker-specified URL using attacker-specified credentials IDs obtained
through another method, capturing credentials stored in Jenkins.
Additionally, this form validation method did not require POST requests,
resulting in a cross-site request forgery vulnerability.
Has the problem been fixed?If the problem has been fixed, please tell me the
"commitid" for fixed version.Thanks
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
