Lucene search

GitHub Advisory DatabaseGHSA-48PQ-X3VW-4PQF

HistoryMay 13, 2022 - 1:48 a.m.

Jenkins vSphere Plugin incorrect authorization vulnerability

2022-05-1301:48:33

CWE-863

GitHub Advisory Database

github.com

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

6.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

0.001 Low

EPSS

Percentile

31.5%

JSON

An improper authorization vulnerability exists in Jenkins vSphere Plugin 2.16 and older in Clone.java, CloudSelectorParameter.java, ConvertToTemplate.java, ConvertToVm.java, Delete.java, DeleteSnapshot.java, Deploy.java, ExposeGuestInfo.java, FolderVSphereCloudProperty.java, PowerOff.java, PowerOn.java, Reconfigure.java, Rename.java, RenameSnapshot.java, RevertToSnapshot.java, SuspendVm.java, TakeSnapshot.java, VSphereBuildStepContainer.java, vSphereCloudProvisionedSlave.java, vSphereCloudSlave.java, vSphereCloudSlaveTemplate.java, VSphereConnectionConfig.java, vSphereStep.java that allows attackers to perform form validation related actions, including sending numerous requests to the configured vSphere server, potentially resulting in denial of service, or send credentials stored in Jenkins with known ID to an attacker-specified server (“test connection”). As of version 2.17, these form validation methods require POST requests and appropriate user permissions.

Affected configurations

Vulners

Node

-org.jenkins-ci.plugins\Matchvsphere-cloud

CPENameOperatorVersion
org.jenkins-ci.plugins:vsphere-cloudle2.16

CPE	Name	Operator	Version
	org.jenkins-ci.plugins:vsphere-cloud	le	2.16

References

github.com/advisories/GHSA-48pq-x3vw-4pqf

jenkins.io/security/advisory/2018-03-26/#SECURITY-745

nvd.nist.gov/vuln/detail/CVE-2018-1000152

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

6.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

0.001 Low

EPSS

Percentile

31.5%

JSON

Related for GHSA-48PQ-X3VW-4PQF