GHSA-2phq-ghf8-6586
GitHub Security Advisory
Jenkins Snow Commander Plugin prior to 2.0 vulnerable to Missing Authorization
✓ GitHub Reviewed
MODERATE
Has CVE
Advisory Details
Snow Commander Plugin 1.10 and earlier does not perform permission checks in methods implementing form validation.
This allows attackers with Overall/Read permission to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
Affected Packages
Maven
io.jenkins.plugins:embotics-vcommander
Affected versions:
0
(fixed in 2.0)
Related CVEs
Key Information
5.0
/10
Dataset
Last updated: August 25, 2025 6:33 AM
Data from GitHub Advisory Database. This information is provided for research and educational purposes.