Vulnerability Description
A cross-site request forgery vulnerability exists in Jenkins vSphere Plugin 2.16 and older in Clone.java, CloudSelectorParameter.java, ConvertToTemplate.java, ConvertToVm.java, Delete.java, DeleteSnapshot.java, Deploy.java, ExposeGuestInfo.java, FolderVSphereCloudProperty.java, PowerOff.java, PowerOn.java, Reconfigure.java, Rename.java, RenameSnapshot.java, RevertToSnapshot.java, SuspendVm.java, TakeSnapshot.java, VSphereBuildStepContainer.java, vSphereCloudProvisionedSlave.java, vSphereCloudSlave.java, vSphereCloudSlaveTemplate.java, VSphereConnectionConfig.java, vSphereStep.java that allows attackers to perform form validation related actions, including sending numerous requests to the configured vSphere server, potentially resulting in denial of service, or send credentials stored in Jenkins with known ID to an attacker-specified server ("test connection").
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jenkins | Vsphere | <= 2.16 |
Related Weaknesses (CWE)
References
- https://jenkins.io/security/advisory/2018-03-26/#SECURITY-745Vendor Advisory
- https://jenkins.io/security/advisory/2018-03-26/#SECURITY-745Vendor Advisory
FAQ
What is CVE-2018-1000153?
CVE-2018-1000153 is a vulnerability with a CVSS score of 8.8 (HIGH). A cross-site request forgery vulnerability exists in Jenkins vSphere Plugin 2.16 and older in Clone.java, CloudSelectorParameter.java, ConvertToTemplate.java, ConvertToVm.java, Delete.java, DeleteSnap...
How severe is CVE-2018-1000153?
CVE-2018-1000153 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-1000153?
Check the references section above for vendor advisories and patch information. Affected products include: Jenkins Vsphere.