CVE-2017-1000085

CVE-2017-1000085

Subversion Plugin connects to a user-specified Subversion repository as part of form validation (e.g. to retrieve a list of tags). This functionality improperly checked permissions, allowing any user with Item/Build permission (but not Item/Configure) to connect to any web server or Subversion server and send credentials with a known ID, thereby possibly capturing them. Additionally, this functionality did not require POST requests be used, thereby allowing the above to be performed without direct access to Jenkins via Cross-Site Request Forgery attacks.

Source: CVE-2017-1000085

답글 남기기

이메일 주소는 공개되지 않습니다. 필수 필드는 *로 표시됩니다