CVE-2017-1000086 Information

Description

The Periodic Backup Plugin did not perform any permission checks allowing any user with Overall/Read access to change its settings trigger backups restore backups download backups and also delete all previous backups via log rotation. Additionally the plugin was not requiring requests to its API be sent via POST thereby opening itself to Cross-Site Request Forgery attacks.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Reference

http://www.securityfocus.com/bid/100437 https://jenkins.io/security/advisory/2017-07-10/

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.0