CVE-2017-1000086

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2017-1000086
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-1000086.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2017-1000086
Aliases
Published
2017-10-05T01:29:03Z
Modified
2024-09-03T01:33:06.207684Z
Severity
  • 8.0 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

The Periodic Backup Plugin did not perform any permission checks, allowing any user with Overall/Read access to change its settings, trigger backups, restore backups, download backups, and also delete all previous backups via log rotation. Additionally, the plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks.

References

Affected packages

Git / github.com/jenkinsci/periodicbackup-plugin

Affected ranges

Type
GIT
Repo
https://github.com/jenkinsci/periodicbackup-plugin
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
2e71bdf10b2c719276d0cea38870afc91486aede
Last affected
3d68ac2d19405305157c2373b22d436f3347734a
Last affected
86c9ca3909b2bff29e356f34cec5a0496568dbc8
Last affected
ac9f84b6afa3d03fb1c5b3c23346f0bb55c57d9b
Last affected
b4a02a5b4c6c36ee365c4abe13f56b5826e0af97

Affected versions

periodicbackup-1.*

periodicbackup-1.0
periodicbackup-1.1
periodicbackup-1.2
periodicbackup-1.3
periodicbackup-1.4