4.2

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-1999038

GHSA ID

GHSA-rf7h-9m85-535v

EPSS Score

0.07093%

CWE

CWE-441

Published

5/14/2022

Updated

12/18/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-1999038

CVE-2018-1999038: Jenkins Publisher Over CIFS Plugin confused deputy vulnerability

A confused deputy vulnerability exists in Jenkins Publisher Over CIFS Plugin 0.10 and earlier in CifsPublisherPluginDescriptor.java that allows attackers to have Jenkins connect to an attacker specified CIFS server with attacker specified credentials. Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability. As of version 0.11, this form validation method requires POST requests and Overall/Administer permissions.

(GitHub Advisory)

4.2

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-1999038

GHSA ID

GHSA-rf7h-9m85-535v

EPSS Score

0.07093%

CWE

CWE-441

Published

5/14/2022

Updated

12/18/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:publish-over-cifs	maven	<= 0.10	0.11

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The commit diff shows security fixes were applied to the doTestConnection method: 1) Added @POST verb restriction 2) Added Administer permission check. The vulnerability description explicitly states this method was vulnerable due to missing these protections. The function's purpose (testing CIFS connections) directly matches the attack scenario described in CVE-2018-1999038.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *on*us** **puty vuln*r**ility *xists in J*nkins Pu*lis**r Ov*r *I*S Plu*in *.** *n* **rli*r in *i*sPu*lis**rPlu*in**s*riptor.j*v* t**t *llows *tt**k*rs to **v* J*nkins *onn**t to *n *tt**k*r sp**i*i** *I*S s*rv*r wit* *tt**k*r sp**i*i** *r***nti*ls

Reasoning

T** *ommit *i** s*ows s**urity *ix*s w*r* *ppli** to t** `*oT*st*onn**tion` m*t*o*: *) ***** @POST v*r* r*stri*tion *) ***** **minist*r p*rmission ****k. T** vuln*r**ility **s*ription *xpli*itly st*t*s t*is m*t*o* w*s vuln*r**l* *u* to missin* t**s*

4.2

Basic Information

Concerned about an active attack path?

CVE-2018-1999038: Jenkins Publisher Over CIFS Plugin confused deputy vulnerability

4.2

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI