CVE-2018-1000412

Source
https://nvd.nist.gov/vuln/detail/CVE-2018-1000412
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-1000412.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2018-1000412
Aliases
Published
2019-01-09T23:29:02Z
Modified
2025-01-14T07:19:55.832065Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

An improper authorization vulnerability exists in Jenkins Jira Plugin 3.0.1 and earlier in JiraSite.java that allows attackers with Overall/Read access to have Jenkins connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

References

Affected packages

Git / github.com/jenkinsci/jira-plugin

Affected ranges

Type
GIT
Repo
https://github.com/jenkinsci/jira-plugin
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected

Affected versions

jira-1.*

jira-1.26
jira-1.27
jira-1.28
jira-1.29
jira-1.30
jira-1.31
jira-1.32
jira-1.33
jira-1.34
jira-1.35
jira-1.36
jira-1.37
jira-1.38
jira-1.39
jira-1.40
jira-1.41

jira-2.*

jira-2.0
jira-2.1
jira-2.2
jira-2.2.1
jira-2.3
jira-2.4
jira-2.4.2
jira-2.5
jira-2.5.1
jira-2.5.2

jira-3.*

jira-3.0.0
jira-3.0.1