CVE-2018-1000153

Name of the Vulnerable Software and Affected Versions Jenkins vSphere Plugin versions 2.16 and older

Description A cross-site request forgery issue exists in the Jenkins vSphere Plugin that allows attackers to perform form validation related actions. This includes sending numerous requests to the configured vSphere server, potentially resulting in denial of service, or sending credentials stored in Jenkins with a known ID to an attacker-specified server, specifically through the "test connection" feature. The form validation methods in the affected versions did not require POST requests, contributing to the CSRF vulnerability.

Recommendations For Jenkins vSphere Plugin versions 2.16 and older, update to version 2.17 or later, which requires POST requests and appropriate user permissions for form validation methods, thereby mitigating the CSRF vulnerability.