CVE-2018-1000195

CVSS v3.1 4.3 (Medium)

CVSS v2.0 4.3 (Medium)

EPSS 0.06 % (26^th)

Affected Products 2

Advisories 2

A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not.

Weaknesses

CWE-352: Cross-Site Request Forgery (CSRF)

CVE Status: PUBLISHED
CNA: MITRE
Published Date: 2018-06-05 21:29:00
(6 years ago)
Updated Date: 2022-06-13 19:03:11
(2 years ago)

Affected Products

Jenkins

Jenkins

Oracle

Communications Cloud Native Core Automated Test Suite

Configuration #1

		CPE23	From	Up To
	Jenkins 2.120 and prior versions	cpe:2.3:a:jenkins:jenkins		<= 2.120

Configuration #2

		CPE23	From	Up To
	Jenkins 2.107.2 and prior versions	cpe:2.3:a:jenkins:jenkins::::*:lts		<= 2.107.2

Configuration #3

		CPE23	From	Up To
	Oracle Communications Cloud Native Core Automated Test Suite 1.9.0	cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.9.0