1. CVE-Search
  2. CVE-2018-1000152
ID CVE-2018-1000152
Summary An improper authorization vulnerability exists in Jenkins vSphere Plugin 2.16 and older in Clone.java, CloudSelectorParameter.java, ConvertToTemplate.java, ConvertToVm.java, Delete.java, DeleteSnapshot.java, Deploy.java, ExposeGuestInfo.java, FolderVSphereCloudProperty.java, PowerOff.java, PowerOn.java, Reconfigure.java, Rename.java, RenameSnapshot.java, RevertToSnapshot.java, SuspendVm.java, TakeSnapshot.java, VSphereBuildStepContainer.java, vSphereCloudProvisionedSlave.java, vSphereCloudSlave.java, vSphereCloudSlaveTemplate.java, VSphereConnectionConfig.java, vSphereStep.java that allows attackers to perform form validation related actions, including sending numerous requests to the configured vSphere server, potentially resulting in denial of service, or send credentials stored in Jenkins with known ID to an attacker-specified server ("test connection").
References
Vulnerable Configurations
  • cpe:2.3:a:jenkins:vsphere:0.2:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:vsphere:0.2:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:vsphere:0.3:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:vsphere:0.3:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:vsphere:0.4:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:vsphere:0.4:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:vsphere:0.5:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:vsphere:0.5:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:vsphere:0.6:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:vsphere:0.6:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:vsphere:0.7:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:vsphere:0.7:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:vsphere:0.8:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:vsphere:0.8:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:vsphere:0.9:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:vsphere:0.9:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:vsphere:0.10:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:vsphere:0.10:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:vsphere:1.0.1:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:vsphere:1.0.1:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:vsphere:1.0.2:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:vsphere:1.0.2:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:vsphere:1.1.0:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:vsphere:1.1.0:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:vsphere:1.1.1:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:vsphere:1.1.1:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:vsphere:1.1.2:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:vsphere:1.1.2:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:vsphere:1.1.3:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:vsphere:1.1.3:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:vsphere:1.1.4:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:vsphere:1.1.4:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:vsphere:1.1.5:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:vsphere:1.1.5:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:vsphere:1.1.6:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:vsphere:1.1.6:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:vsphere:1.1.7:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:vsphere:1.1.7:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:vsphere:1.1.8:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:vsphere:1.1.8:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:vsphere:1.1.9:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:vsphere:1.1.9:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:vsphere:1.1.10:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:vsphere:1.1.10:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:vsphere:1.1.11:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:vsphere:1.1.11:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:vsphere:1.1.12:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:vsphere:1.1.12:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:vsphere:2.0:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:vsphere:2.0:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:vsphere:2.1:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:vsphere:2.1:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:vsphere:2.2:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:vsphere:2.2:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:vsphere:2.3:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:vsphere:2.3:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:vsphere:2.4:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:vsphere:2.4:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:vsphere:2.5:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:vsphere:2.5:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:vsphere:2.6:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:vsphere:2.6:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:vsphere:2.7:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:vsphere:2.7:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:vsphere:2.8:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:vsphere:2.8:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:vsphere:2.9:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:vsphere:2.9:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:vsphere:2.10:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:vsphere:2.10:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:vsphere:2.11:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:vsphere:2.11:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:vsphere:2.12:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:vsphere:2.12:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:vsphere:2.13:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:vsphere:2.13:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:vsphere:2.14:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:vsphere:2.14:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:vsphere:2.15:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:vsphere:2.15:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:vsphere:2.16:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:vsphere:2.16:*:*:*:*:jenkins:*:*
CVSS
Base: 6.5 (as of 03-10-2019 - 00:03)
Impact:
Exploitability:
CWE CWE-863
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW SINGLE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:S/C:P/I:P/A:P
refmap via4
confirm https://jenkins.io/security/advisory/2018-03-26/#SECURITY-745
Last major update 03-10-2019 - 00:03
Published 05-04-2018 - 13:29
Last modified 03-10-2019 - 00:03
Back to Top