[
https://issues.apache.org/jira/browse/JCLOUDS-1536?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ignasi Barrera resolved JCLOUDS-1536.
-------------------------------------
Resolution: Invalid
> SECURITY-1482 / CVE-2019-10368 (CSRF), CVE-2019-10369 (permission check)
> -------------------------------------------------------------------------
>
> Key: JCLOUDS-1536
> URL: https://issues.apache.org/jira/browse/JCLOUDS-1536
> Project: jclouds
> Issue Type: Bug
> Affects Versions: 1.9.1
> Reporter: xingyunyang
> Priority: Blocker
>
> *SECURITY-1482 / CVE-2019-10368 (CSRF), CVE-2019-10369 (permission check)*
> JClouds Plugin did not perform permission checks on a method implementing
> form validation. This allowed users with Overall/Read access to Jenkins to
> connect to an attacker-specified URL using attacker-specified credentials IDs
> obtained through another method, capturing credentials stored in Jenkins.
> Additionally, this form validation method did not require POST requests,
> resulting in a cross-site request forgery vulnerability.
>
> Has the problem been fixed?If the problem has been fixed, please tell me the
> "commitid" for fixed version.Thanks
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
