PT-2018-9324 · Jenkins · Jenkins Vsphere Plugin+1

Daniel Beck

Published

2018-04-05

Updated

2022-05-13

CVE-2018-1000152

CVSS v2.0

6.5

Medium

Vector

AV:N/AC:L/Au:S/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Jenkins vSphere Plugin versions 2.16 and older

Description An improper authorization issue exists in the Jenkins vSphere Plugin that allows attackers to perform form validation related actions. This includes sending numerous requests to the configured vSphere server, potentially resulting in denial of service. Attackers can also send credentials stored in Jenkins with a known ID to an attacker-specified server using the "test connection" feature.

Recommendations For Jenkins vSphere Plugin versions 2.16 and older, update to version 2.17 or later, which requires POST requests and appropriate user permissions for form validation methods, mitigating the issue.

Fix

DoS

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

CVE-2018-1000152

GHSA-48PQ-X3VW-4PQF

Affected Products

Jenkins

Jenkins Vsphere Plugin

PT-2018-9324 · Jenkins · Jenkins Vsphere Plugin+1

CVE-2018-1000152

Weakness Enumeration

Related Identifiers

Affected Products

References · 5