{"url":"http://public2.vulnerablecode.io/api/packages/62761?format=json","purl":"pkg:maven/org.jenkins-ci.plugins/crowd2@2.0.0","type":"maven","namespace":"org.jenkins-ci.plugins","name":"crowd2","version":"2.0.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.0.1","latest_non_vulnerable_version":"2.0.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44078?format=json","vulnerability_id":"VCID-36gf-x9aq-dkef","summary":"Server-Side Request Forgery (SSRF)\nAn improper authorization vulnerability exists in Jenkins Crowd 2 Integration Plugin 2.0.0 and earlier in CrowdSecurityRealm.java that allows attackers to have Jenkins perform a connection test, connecting to an attacker-specified server with attacker-specified credentials and connection settings.","references":[{"reference_url":"https://github.com/jenkinsci/crowd2-plugin/commit/a93d0fa221454adb4087520d8c1c087828211598","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/jenkinsci/crowd2-plugin/commit/a93d0fa221454adb4087520d8c1c087828211598"},{"reference_url":"https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1067","reference_id":"","reference_type":"","scores":[],"url":"https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1067"},{"reference_url":"https://web.archive.org/web/20200227092927/http://www.securityfocus.com/bid/106532","reference_id":"","reference_type":"","scores":[],"url":"https://web.archive.org/web/20200227092927/http://www.securityfocus.com/bid/106532"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000422","reference_id":"CVE-2018-1000422","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000422"},{"reference_url":"https://github.com/advisories/GHSA-grmg-5q49-mqmf","reference_id":"GHSA-grmg-5q49-mqmf","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-grmg-5q49-mqmf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/62762?format=json","purl":"pkg:maven/org.jenkins-ci.plugins/crowd2@2.0.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.plugins/crowd2@2.0.1"}],"aliases":["CVE-2018-1000422","GHSA-grmg-5q49-mqmf"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-36gf-x9aq-dkef"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43719?format=json","vulnerability_id":"VCID-pvsw-mqtv-p3a5","summary":"Insufficiently Protected Credentials\nAn insufficiently protected credentials vulnerability exists in Jenkins Crowd 2 Integration Plugin 2.0.0 and earlier in CrowdSecurityRealm.java, CrowdConfigurationService.java that allows attackers with local file system access to obtain the credentials used to connect to Crowd 2.","references":[{"reference_url":"https://github.com/jenkinsci/crowd2-plugin/commit/580be2a0dfb38d494420901f03555092b885a85f","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/jenkinsci/crowd2-plugin/commit/580be2a0dfb38d494420901f03555092b885a85f"},{"reference_url":"https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1068","reference_id":"","reference_type":"","scores":[],"url":"https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1068"},{"reference_url":"http://www.securityfocus.com/bid/106532","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/106532"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000423","reference_id":"CVE-2018-1000423","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000423"},{"reference_url":"https://github.com/advisories/GHSA-cg6q-gp23-vwx8","reference_id":"GHSA-cg6q-gp23-vwx8","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-cg6q-gp23-vwx8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/62762?format=json","purl":"pkg:maven/org.jenkins-ci.plugins/crowd2@2.0.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.plugins/crowd2@2.0.1"}],"aliases":["CVE-2018-1000423","GHSA-cg6q-gp23-vwx8"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pvsw-mqtv-p3a5"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.plugins/crowd2@2.0.0"}