CVE-2017-1000086

The Periodic Backup Plugin did not perform any permission checks, allowing any user with Overall/Read access to change its settings, trigger backups, restore backups, download backups, and also delete all previous backups via log rotation. Additionally, the plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks.
References
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:jenkins:periodic_backup:1.0:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:periodic_backup:1.1:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:periodic_backup:1.2:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:periodic_backup:1.3:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:periodic_backup:1.4:*:*:*:*:jenkins:*:*

History

21 Nov 2024, 03:04

Type Values Removed Values Added
References () http://www.securityfocus.com/bid/100437 - Third Party Advisory, VDB Entry () http://www.securityfocus.com/bid/100437 - Third Party Advisory, VDB Entry
References () https://jenkins.io/security/advisory/2017-07-10/ - Vendor Advisory () https://jenkins.io/security/advisory/2017-07-10/ - Vendor Advisory

Information

Published : 2017-10-05 01:29

Updated : 2024-11-21 03:04


NVD link : CVE-2017-1000086

Mitre link : CVE-2017-1000086

CVE.ORG link : CVE-2017-1000086


JSON object : View

Products Affected

jenkins

  • periodic_backup
CWE
CWE-862

Missing Authorization