CVE-2018-1000422: Server-Side Request Forgery (SSRF)

May 14, 2022 (updated January 9, 2024)

An improper authorization vulnerability exists in Jenkins Crowd 2 Integration Plugin 2.0.0 and earlier in CrowdSecurityRealm.java that allows attackers to have Jenkins perform a connection test, connecting to an attacker-specified server with attacker-specified credentials and connection settings.

References

github.com/advisories/GHSA-grmg-5q49-mqmf
github.com/jenkinsci/crowd2-plugin/commit/a93d0fa221454adb4087520d8c1c087828211598
jenkins.io/security/advisory/2018-09-25/
nvd.nist.gov/vuln/detail/CVE-2018-1000422
web.archive.org/web/20200227092927/http://www.securityfocus.com/bid/106532

Detect and mitigate CVE-2018-1000422 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →