CVE-2017-1000085
Summary
| CVE | CVE-2017-1000085 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2017-10-05 01:29:00 UTC |
|---|
| Updated | 2017-11-02 16:06:00 UTC |
|---|
| Description | Subversion Plugin connects to a user-specified Subversion repository as part of form validation (e.g. to retrieve a list of tags). This functionality improperly checked permissions, allowing any user with Item/Build permission (but not Item/Configure) to connect to any web server or Subversion server and send credentials with a known ID, thereby possibly capturing them. Additionally, this functionality did not require POST requests be used, thereby allowing the above to be performed without direct access to Jenkins via Cross-Site Request Forgery attacks. |
|---|
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|
| Application |
Jenkins |
Subversion |
All |
All |
All |
All |
References
| Reference | Source | Link | Tags |
|---|
| Jenkins Security Advisory 2017-07-10 |
CONFIRM |
jenkins.io |
Vendor Advisory |
| Jenkins Subversion Plugin CVE-2017-1000085 Cross Site Request Forgery Vulnerability |
BID |
www.securityfocus.com |
Third Party Advisory, VDB Entry |
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 900131 CBL-Mariner Linux Security Update for subversion 1.14.0
- 900132 CBL-Mariner Linux Security Update for c-ares 1.14.0
