[ https://issues.apache.org/jira/browse/JCLOUDS-1536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17009579#comment-17009579 ]
Ignasi Barrera commented on JCLOUDS-1536: ----------------------------------------- Thanks for the pointer, but we don't maintain the Jenkins jclouds plugin. Please refer to their issue tracker here: https://issues.jenkins-ci.org/issues/?jql=component%20%3D%20jclouds-plugin > SECURITY-1482 / CVE-2019-10368 (CSRF), CVE-2019-10369 (permission check) > ------------------------------------------------------------------------- > > Key: JCLOUDS-1536 > URL: https://issues.apache.org/jira/browse/JCLOUDS-1536 > Project: jclouds > Issue Type: Bug > Affects Versions: 1.9.1 > Reporter: xingyunyang > Priority: Blocker > > *SECURITY-1482 / CVE-2019-10368 (CSRF), CVE-2019-10369 (permission check)* > JClouds Plugin did not perform permission checks on a method implementing > form validation. This allowed users with Overall/Read access to Jenkins to > connect to an attacker-specified URL using attacker-specified credentials IDs > obtained through another method, capturing credentials stored in Jenkins. > Additionally, this form validation method did not require POST requests, > resulting in a cross-site request forgery vulnerability. > > Has the problem been fixed?If the problem has been fixed, please tell me the > "commitid" for fixed version.Thanks -- This message was sent by Atlassian Jira (v8.3.4#803005)