Improper Authorisation Affecting org.jenkins-ci.plugins:jira package, versions [,3.0.1)


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.1% (44th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JAVA-ORGJENKINSCIPLUGINS-174631
  • published10 May 2019
  • disclosed9 Jan 2019
  • creditWadeck Follonier

Introduced: 9 Jan 2019

CVE-2018-1000412  (opens in a new tab)
CWE-255  (opens in a new tab)

How to fix?

Upgrade org.jenkins-ci.plugins:jira to version 3.0.1 or higher.

Overview

org.jenkins-ci.plugins:jira is a Jenkins plugin that has an optional feature to update JIRA issues with a back pointer to Jenkins build pages. This allows the submitter and watchers to quickly find out which build they need to pick up to get the fix.

Affected versions of this package are vulnerable to Improper Authorisation. The code allows attackers with Overall/Read access to have Jenkins connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.The fixes add additional checks to make sure that the appropriate level of authorisation is required to perform administrator level tasks.

Details

CVSS Scores

version 3.1