Search...

Jenkins < 2.107 / < 2.89.4 (LTS) Server-Side Request Forgery (SSRF) Vulnerability

2019-06-05T00:00:00

ID JENKINS_2_107_CVE_2018_1000067.NASL
Type nessus
Reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2021-01-02T00:00:00

Description

The remote web server hosts a version of Jenkins that is prior to 2.107, or a version of Jenkins LTS prior to 2.89.4. It is, therefore, affected by a server-side request forgery (SSRF) vulnerability. Insufficient proxy configuration form access control allow attackers with overall/read access to Jenkins to force Jenkins to send a GET request to a specified URL. Some information about the request's response is also available to the attacker.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#
include('compat.inc');

if (description)
{
  script_id(125733);
  script_version("1.2");
  script_cvs_date("Date: 2019/10/18 23:14:14");

  script_cve_id("CVE-2018-1000067");
  script_bugtraq_id(104500);

  script_name(english:"Jenkins &lt; 2.107 / &lt; 2.89.4 (LTS) Server-Side Request Forgery (SSRF) Vulnerability");
  script_summary(english:"Checks the Jenkins version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server hosts a job scheduling and management system that is affected by a server-side request forgery 
(SSRF) vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote web server hosts a version of Jenkins that is prior to 2.107, or a version of Jenkins LTS prior to 2.89.4. 
It is, therefore, affected by a server-side request forgery (SSRF) vulnerability. Insufficient proxy configuration form
access control allow attackers with overall/read access to Jenkins to force Jenkins to send a GET request to a 
specified URL. Some information about the request's response is also available to the attacker.");
  script_set_attribute(attribute:"see_also", value:"https://jenkins.io/security/advisory/2018-02-14/");
  script_set_attribute(attribute:"see_also", value:"https://jenkins.io/changelog/");
  script_set_attribute(attribute:"see_also", value:"https://jenkins.io/changelog-stable/");
  script_set_attribute(attribute:"solution", value:
"Upgrade Jenkins to version 2.107 or later. For Jenkins LTS, upgrade 
  to version 2.89.4 or later");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-1000067");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/02/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/02/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/06/05");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cloudbees:jenkins");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("jenkins_detect.nasl");
  script_require_keys("installed_sw/Jenkins");
  script_require_ports("Services/www", 8080);

  exit(0);
}

include('http.inc');
include('vcf.inc');
include('vcf_extras.inc');

port = get_http_port(default:8080);
app_info = vcf::get_app_info(app:'Jenkins', port:port, webapp:TRUE);

constraints = [
  {'edition':'Open Source', 'fixed_version':'2.107'},
  {'edition':'Open Source LTS', 'fixed_version':'2.89.4'}
];
vcf::jenkins::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);

JSON Vulners Source

Initial Source

{"id": "JENKINS_2_107_CVE_2018_1000067.NASL", "bulletinFamily": "scanner", "title": "Jenkins < 2.107 / < 2.89.4 (LTS) Server-Side Request Forgery (SSRF) Vulnerability", "description": "The remote web server hosts a version of Jenkins that is prior to 2.107, or a version of Jenkins LTS prior to 2.89.4. \nIt is, therefore, affected by a server-side request forgery (SSRF) vulnerability. Insufficient proxy configuration form\naccess control allow attackers with overall/read access to Jenkins to force Jenkins to send a GET request to a \nspecified URL. Some information about the request's response is also available to the attacker.", "published": "2019-06-05T00:00:00", "modified": "2021-01-02T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "href": "https://www.tenable.com/plugins/nessus/125733", "reporter": "This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://jenkins.io/changelog/", "https://jenkins.io/security/advisory/2018-02-14/", "https://jenkins.io/changelog-stable/"], "cvelist": ["CVE-2018-1000067", "CVE-2017-1000067"], "type": "nessus", "lastseen": "2021-01-01T03:19:11", "edition": 17, "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-1000067", "CVE-2018-1000067"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310112227", "OPENVAS:1361412562310106799", "OPENVAS:1361412562310112228"]}], "modified": "2021-01-01T03:19:11", "rev": 2}, "score": {"value": 6.2, "vector": "NONE", "modified": "2021-01-01T03:19:11", "rev": 2}, "vulnersScore": 6.2}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\ninclude('compat.inc');\n\nif (description)\n{\n script_id(125733);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/10/18 23:14:14\");\n\n script_cve_id(\"CVE-2018-1000067\");\n script_bugtraq_id(104500);\n\n script_name(english:\"Jenkins < 2.107 / < 2.89.4 (LTS) Server-Side Request Forgery (SSRF) Vulnerability\");\n script_summary(english:\"Checks the Jenkins version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server hosts a job scheduling and management system that is affected by a server-side request forgery \n(SSRF) vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote web server hosts a version of Jenkins that is prior to 2.107, or a version of Jenkins LTS prior to 2.89.4. \nIt is, therefore, affected by a server-side request forgery (SSRF) vulnerability. Insufficient proxy configuration form\naccess control allow attackers with overall/read access to Jenkins to force Jenkins to send a GET request to a \nspecified URL. Some information about the request's response is also available to the attacker.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://jenkins.io/security/advisory/2018-02-14/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://jenkins.io/changelog/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://jenkins.io/changelog-stable/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade Jenkins to version 2.107 or later. For Jenkins LTS, upgrade \n to version 2.89.4 or later\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-1000067\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/02/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/02/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/06/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cloudbees:jenkins\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"jenkins_detect.nasl\");\n script_require_keys(\"installed_sw/Jenkins\");\n script_require_ports(\"Services/www\", 8080);\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nport = get_http_port(default:8080);\napp_info = vcf::get_app_info(app:'Jenkins', port:port, webapp:TRUE);\n\nconstraints = [\n {'edition':'Open Source', 'fixed_version':'2.107'},\n {'edition':'Open Source LTS', 'fixed_version':'2.89.4'}\n];\nvcf::jenkins::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "naslFamily": "CGI abuses", "pluginID": "125733", "cpe": ["cpe:/a:cloudbees:jenkins"], "scheme": null, "cvss3": {"score": 5.3, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}

{"cve": [{"lastseen": "2020-10-03T13:07:30", "description": "MODX Revolution version 2.x - 2.5.6 is vulnerable to blind SQL injection caused by improper sanitization by the escape method resulting in authenticated user accessing database and possibly escalating privileges.", "edition": 3, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-07-17T13:18:00", "title": "CVE-2017-1000067", "type": "cve", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000067"], "modified": "2017-07-21T16:59:00", "cpe": ["cpe:/a:modx:revolution:2.5.4", "cpe:/a:modx:revolution:2.2.6", "cpe:/a:modx:revolution:2.2.9", "cpe:/a:modx:revolution:2.2.0", "cpe:/a:modx:revolution:2.1.5", "cpe:/a:modx:revolution:2.4.1", "cpe:/a:modx:revolution:2.1.0", "cpe:/a:modx:revolution:2.4.0", "cpe:/a:modx:revolution:2.5.6", "cpe:/a:modx:revolution:2.5.0", "cpe:/a:modx:revolution:2.5.2", "cpe:/a:modx:revolution:2.5.3", "cpe:/a:modx:revolution:2.2.1", "cpe:/a:modx:revolution:2.5.1", "cpe:/a:modx:revolution:2.2.7", "cpe:/a:modx:revolution:2.1.3", "cpe:/a:modx:revolution:2.2.2", "cpe:/a:modx:revolution:2.2.3", "cpe:/a:modx:revolution:2.0.0", "cpe:/a:modx:revolution:2.0.1", "cpe:/a:modx:revolution:2.2.8", "cpe:/a:modx:revolution:2.1.4", "cpe:/a:modx:revolution:2.1.1", "cpe:/a:modx:revolution:2.2.4", "cpe:/a:modx:revolution:2.3.0", "cpe:/a:modx:revolution:2.1.2", "cpe:/a:modx:revolution:2.2.5", "cpe:/a:modx:revolution:2.3.1", "cpe:/a:modx:revolution:2.5.5"], "id": "CVE-2017-1000067", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000067", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:modx:revolution:2.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:modx:revolution:2.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:modx:revolution:2.2.8:*:*:*:*:*:*:*", "cpe:2.3:a:modx:revolution:2.2.7:*:*:*:*:*:*:*", "cpe:2.3:a:modx:revolution:2.5.4:*:*:*:*:*:*:*", "cpe:2.3:a:modx:revolution:2.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:modx:revolution:2.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:modx:revolution:2.2.0:rc3:*:*:*:*:*:*", "cpe:2.3:a:modx:revolution:2.2.9:*:*:*:*:*:*:*", "cpe:2.3:a:modx:revolution:2.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:modx:revolution:2.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:modx:revolution:2.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:modx:revolution:2.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:modx:revolution:2.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:modx:revolution:2.5.6:*:*:*:*:*:*:*", "cpe:2.3:a:modx:revolution:2.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:modx:revolution:2.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:modx:revolution:2.2.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:modx:revolution:2.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:modx:revolution:2.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:modx:revolution:2.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:modx:revolution:2.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:modx:revolution:2.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:modx:revolution:2.0.0:rc3:*:*:*:*:*:*", "cpe:2.3:a:modx:revolution:2.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:modx:revolution:2.2.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:modx:revolution:2.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:modx:revolution:2.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:modx:revolution:2.1.0:p12:*:*:*:*:*:*", "cpe:2.3:a:modx:revolution:2.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:modx:revolution:2.0.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:modx:revolution:2.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:modx:revolution:2.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:modx:revolution:2.1.1:p12:*:*:*:*:*:*", "cpe:2.3:a:modx:revolution:2.5.5:*:*:*:*:*:*:*", "cpe:2.3:a:modx:revolution:2.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:modx:revolution:2.0.0:rc1:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:25:29", "description": "An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited information about the response.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 1.4}, "published": "2018-02-16T00:29:00", "title": "CVE-2018-1000067", "type": "cve", "cwe": ["CWE-918"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000067"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/a:jenkins:jenkins:2.89.3", "cpe:/a:jenkins:jenkins:2.106"], "id": "CVE-2018-1000067", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000067", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:jenkins:jenkins:2.106:*:*:*:*:*:*:*", "cpe:2.3:a:jenkins:jenkins:2.89.3:*:*:*:lts:*:*:*"]}], "openvas": [{"lastseen": "2019-07-30T13:53:41", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-6356", "CVE-2018-1000067", "CVE-2018-1000068"], "description": "This host is installed with Jenkins and is prone to multiple vulnerabilities.", "modified": "2019-07-30T00:00:00", "published": "2018-02-19T00:00:00", "id": "OPENVAS:1361412562310112228", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310112228", "type": "openvas", "title": "Jenkins < 2.107 and < 2.89.4 LTS Multiple Vulnerabilities (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Jenkins < 2.107 and < 2.89.4 LTS Multiple Vulnerabilities (Windows)\n#\n# Authors:\n# Adrian Steins <adrian.steins@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:jenkins:jenkins\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.112228\");\n script_version(\"2019-07-30T03:00:13+0000\");\n\n script_cve_id(\"CVE-2018-6356\", \"CVE-2018-1000067\", \"CVE-2018-1000068\");\n\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-07-30 03:00:13 +0000 (Tue, 30 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-02-19 11:00:00 +0100 (Mon, 19 Feb 2018)\");\n\n script_name(\"Jenkins < 2.107 and < 2.89.4 LTS Multiple Vulnerabilities (Windows)\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_jenkins_consolidation.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"jenkins/detected\", \"Host/runs_windows\");\n\n script_xref(name:\"URL\", value:\"https://jenkins.io/security/advisory/2018-02-14/\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Jenkins and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Jenkins is prone to the following vulnerabilities:\n\n - Path traversal vulnerability which allows access to files outside plugin resources. (CVE-2018-6356)\n\n - Improperly secured form validation for proxy configuration, allowing Server-Side Request Forgery. (CVE-2018-1000067)\n\n - Improper input validation, allowing unintended access to plugin resource files on case-insensitive file systems. (CVE-2018-1000068)\");\n\n script_tag(name:\"affected\", value:\"Jenkins LTS up to and including 2.89.3, Jenkins weekly up to and including 2.106.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Jenkins weekly to 2.107 or later / Jenkins LTS to 2.89.4 or\n later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( !port = get_app_port( cpe:CPE ) )\n exit(0);\n\nif(!infos = get_app_full(cpe:CPE, port:port))\n exit(0);\n\nif (!version = infos[\"version\"])\n exit(0);\n\nlocation = infos[\"location\"];\nproto = infos[\"proto\"];\n\nif( get_kb_item( \"jenkins/\" + port + \"/is_lts\" ) ) {\n if ( version_is_less( version:version, test_version:\"2.89.4\" ) ) {\n vuln = TRUE;\n fix = \"2.89.4\";\n }\n} else {\n if( version_is_less( version:version, test_version:\"2.107\" ) ) {\n vuln = TRUE;\n fix = \"2.107\";\n }\n}\n\nif( vuln ) {\n report = report_fixed_ver( installed_version:version, fixed_version:fix, install_path:location );\n security_message( port:port, data:report, proto:proto );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-07-30T13:53:41", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-6356", "CVE-2018-1000067", "CVE-2018-1000068"], "description": "This host is installed with Jenkins and is prone to multiple vulnerabilities.", "modified": "2019-07-30T00:00:00", "published": "2018-02-19T00:00:00", "id": "OPENVAS:1361412562310112227", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310112227", "type": "openvas", "title": "Jenkins < 2.107 and < 2.89.4 LTS Multiple Vulnerabilities (Linux)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Jenkins < 2.107 and < 2.89.4 LTS Multiple Vulnerabilities (Linux)\n#\n# Authors:\n# Adrian Steins <adrian.steins@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:jenkins:jenkins\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.112227\");\n script_version(\"2019-07-30T03:00:13+0000\");\n\n script_cve_id(\"CVE-2018-6356\", \"CVE-2018-1000067\", \"CVE-2018-1000068\");\n\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-07-30 03:00:13 +0000 (Tue, 30 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-02-19 11:00:00 +0100 (Mon, 19 Feb 2018)\");\n\n script_name(\"Jenkins < 2.107 and < 2.89.4 LTS Multiple Vulnerabilities (Linux)\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_jenkins_consolidation.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"jenkins/detected\", \"Host/runs_unixoide\");\n\n script_xref(name:\"URL\", value:\"https://jenkins.io/security/advisory/2018-02-14/\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Jenkins and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Jenkins is prone to the following vulnerabilities:\n\n - Path traversal vulnerability which allows access to files outside plugin resources. (CVE-2018-6356)\n\n - Improperly secured form validation for proxy configuration, allowing Server-Side Request Forgery. (CVE-2018-1000067)\n\n - Improper input validation, allowing unintended access to plugin resource files on case-insensitive file systems. (CVE-2018-1000068)\");\n\n script_tag(name:\"affected\", value:\"Jenkins LTS up to and including 2.89.3, Jenkins weekly up to and including 2.106.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Jenkins weekly to 2.107 or later / Jenkins LTS to 2.89.4 or\n later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( !port = get_app_port( cpe:CPE ) )\n exit(0);\nif(!infos = get_app_full(cpe:CPE, port:port))\n exit(0);\n\nif (!version = infos[\"version\"])\n exit(0);\n\nlocation = infos[\"location\"];\nproto = infos[\"proto\"];\n\nif( get_kb_item( \"jenkins/\" + port + \"/is_lts\" ) ) {\n if ( version_is_less( version:version, test_version:\"2.89.4\" ) ) {\n vuln = TRUE;\n fix = \"2.89.4\";\n }\n} else {\n if( version_is_less( version:version, test_version:\"2.107\" ) ) {\n vuln = TRUE;\n fix = \"2.107\";\n }\n}\n\nif( vuln ) {\n report = report_fixed_ver( installed_version:version, fixed_version:fix, install_path:location );\n security_message( port:port, data:report, proto:proto );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:34:27", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-9069", "CVE-2017-9070", "CVE-2017-9068", "CVE-2017-9067", "CVE-2017-9071", "CVE-2017-1000067"], "description": "MODX Revolution CMS is prone to multiple vulnerabilities.", "modified": "2018-10-26T00:00:00", "published": "2017-05-15T00:00:00", "id": "OPENVAS:1361412562310106799", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106799", "type": "openvas", "title": "MODX Revolution CMS Multiple Vulnerabilities", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_modx_cms_mult_vuln_apr17.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# MODX Revolution CMS Multiple Vulnerabilities\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:modx:revolution';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106799\");\n script_version(\"$Revision: 12106 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-05-15 08:46:55 +0700 (Mon, 15 May 2017)\");\n script_tag(name:\"cvss_base\", value:\"6.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2017-9067\", \"CVE-2017-9068\", \"CVE-2017-9069\", \"CVE-2017-9070\", \"CVE-2017-9071\", \"CVE-2017-1000067\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"MODX Revolution CMS Multiple Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_modx_cms_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"modx_cms/installed\");\n\n script_tag(name:\"summary\", value:\"MODX Revolution CMS is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"MODX Revolution CMS is prone to multiple vulnerabilities:\n\n - Stored XSS in UserGroup names and various other fields\n\n - User/email enumeration in forgot password feature\n\n - XSS cache poisoning via Host header\n\n - Reflected XSS in setup\n\n - Local file inclusion vulnerability in setup action parameter\n\n - Various local file inclusion preventions to also protect on windows\n\n - Stored XSS in resource pagetitle\n\n - Blind SQL injection\n\n - PHP code execution\");\n\n script_tag(name:\"affected\", value:\"Version 2.5.6 and prior.\");\n\n script_tag(name:\"solution\", value:\"Update to version 2.5.7\");\n\n script_xref(name:\"URL\", value:\"https://raw.githubusercontent.com/modxcms/revolution/v2.5.7-pl/core/docs/changelog.txt\");\n script_xref(name:\"URL\", value:\"https://bitflipper.eu/finding/2017/05/modx-revolution-256-blind-sql-injection.html\");\n script_xref(name:\"URL\", value:\"https://bitflipper.eu/finding/2017/05/modx-revolution-256-php-code-execution.html\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version_is_less(version: version, test_version: \"2.5.7\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"2.5.7\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}]}

Jenkins &lt; 2.107 / &lt; 2.89.4 (LTS) Server-Side Request Forgery (SSRF) Vulnerability

Description

Jenkins < 2.107 / < 2.89.4 (LTS) Server-Side Request Forgery (SSRF) Vulnerability