CVE-2018-1999038

MEDIUM

Jenkins Publisher Over CIFS Plugin <0.10 - Confused Deputy

Title source: llm

Description

A confused deputy vulnerability exists in Jenkins Publisher Over CIFS Plugin 0.10 and earlier in CifsPublisherPluginDescriptor.java that allows attackers to have Jenkins connect to an attacker specified CIFS server with attacker specified credentials.

References (1)

[Vendor Advisory] https://jenkins.io/security/advisory/2018-07-30/#SECURITY-975

Scores

CVSS v3 4.2

EPSS 0.0003

EPSS Percentile 8.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Details

CWE

CWE-441

Status published

Products (2)

jenkins/publish_over_cifs < 0.10

org.jenkins-ci.plugins/publish-over-cifs 0 - 0.11Maven

Published Aug 01, 2018

Tracked Since Feb 18, 2026