CVE-2017-1000086

The Periodic Backup Plugin did not perform any permission checks, allowing any user with Overall/Read access to change its settings, trigger backups, restore backups, download backups, and also delete all previous backups via log rotation. Additionally, the plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks.
References
Link Resource
http://www.securityfocus.com/bid/100437 Third Party Advisory VDB Entry
https://jenkins.io/security/advisory/2017-07-10/ Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:jenkins:periodic_backup:1.0:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:periodic_backup:1.1:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:periodic_backup:1.2:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:periodic_backup:1.3:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:periodic_backup:1.4:*:*:*:*:jenkins:*:*

History

No history.

Information

Published : 2017-10-05 01:29

Updated : 2024-02-28 16:04


NVD link : CVE-2017-1000086

Mitre link : CVE-2017-1000086

CVE.ORG link : CVE-2017-1000086


JSON object : View

Products Affected

jenkins

  • periodic_backup
CWE
CWE-862

Missing Authorization