CVE-2018-1000067 — Server-Side Request Forgery in Jenkins

CWE-918 — Server-Side Request Forgery CWE-287 — Improper Authentication8 documents7 sources

Severity

5.3MEDIUMNVD

EPSS

0.4%

top 42.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Oracle Communications Cloud Native Core Automated Test Suite

Timeline

PublishedFeb 16

Latest updateMay 13

Description

An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited information about the response.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶NVDjenkins/jenkins2.106+1

▶NVDoracle/communications_cloud_native_core_automated_test_suite1.9.0

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

Server-Side Request Forgery in Jenkins↗2022-05-13

▶

OSV

Server-Side Request Forgery in Jenkins↗2022-05-13

▶

CVEList

CVE-2018-1000067: An improper authorization vulnerability exists in Jenkins versions 2↗2018-02-16

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2018-02-14↗2018-02-14

▶

Red Hat

jenkins: Improperly secured form validation for proxy configuration allows Server-Side Request Forgery↗2018-02-14

▶

💬Community

Bugzilla

CVE-2018-1000067 jenkins: Improperly secured form validation for proxy configuration allows Server-Side Request Forgery [fedora-all]↗2018-02-15

▶

Bugzilla

CVE-2018-1000067 jenkins: Improperly secured form validation for proxy configuration allows Server-Side Request Forgery↗2018-02-15

▶