Jenkins Team Concert Plugin missing permission check
High severity
GitHub Reviewed
Published
May 24, 2022
to the GitHub Advisory Database
•
Updated Oct 27, 2023
Description
Published by the National Vulnerability Database
Dec 17, 2019
Published to the GitHub Advisory Database
May 24, 2022
Reviewed
Oct 27, 2023
Last updated
Oct 27, 2023
Jenkins Team Concert Plugin 1.3.0 and earlier does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
As of publication of this advisory, there is no fix.
References