Vulnerabilities > CVE-2018-1000067 - Server-Side Request Forgery (SSRF) vulnerability in multiple products

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
jenkins
oracle
CWE-918
nessus

Summary

An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited information about the response.

Vulnerable Configurations

Part Description Count
Application
Jenkins
1730
Application
Oracle
1

Common Weakness Enumeration (CWE)

Nessus

NASL familyCGI abuses
NASL idJENKINS_2_107_CVE_2018_1000067.NASL
descriptionThe remote web server hosts a version of Jenkins that is prior to 2.107, or a version of Jenkins LTS prior to 2.89.4. It is, therefore, affected by a server-side request forgery (SSRF) vulnerability. Insufficient proxy configuration form access control allow attackers with overall/read access to Jenkins to force Jenkins to send a GET request to a specified URL. Some information about the request
last seen2020-06-01
modified2020-06-02
plugin id125733
published2019-06-05
reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/125733
titleJenkins < 2.107 / < 2.89.4 (LTS) Server-Side Request Forgery (SSRF) Vulnerability
code
#
# (C) Tenable Network Security, Inc.
#
include('compat.inc');

if (description)
{
  script_id(125733);
  script_version("1.2");
  script_cvs_date("Date: 2019/10/18 23:14:14");

  script_cve_id("CVE-2018-1000067");
  script_bugtraq_id(104500);

  script_name(english:"Jenkins < 2.107 / < 2.89.4 (LTS) Server-Side Request Forgery (SSRF) Vulnerability");
  script_summary(english:"Checks the Jenkins version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server hosts a job scheduling and management system that is affected by a server-side request forgery 
(SSRF) vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote web server hosts a version of Jenkins that is prior to 2.107, or a version of Jenkins LTS prior to 2.89.4. 
It is, therefore, affected by a server-side request forgery (SSRF) vulnerability. Insufficient proxy configuration form
access control allow attackers with overall/read access to Jenkins to force Jenkins to send a GET request to a 
specified URL. Some information about the request's response is also available to the attacker.");
  script_set_attribute(attribute:"see_also", value:"https://jenkins.io/security/advisory/2018-02-14/");
  script_set_attribute(attribute:"see_also", value:"https://jenkins.io/changelog/");
  script_set_attribute(attribute:"see_also", value:"https://jenkins.io/changelog-stable/");
  script_set_attribute(attribute:"solution", value:
"Upgrade Jenkins to version 2.107 or later. For Jenkins LTS, upgrade 
  to version 2.89.4 or later");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-1000067");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/02/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/02/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/06/05");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cloudbees:jenkins");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("jenkins_detect.nasl");
  script_require_keys("installed_sw/Jenkins");
  script_require_ports("Services/www", 8080);

  exit(0);
}

include('http.inc');
include('vcf.inc');
include('vcf_extras.inc');

port = get_http_port(default:8080);
app_info = vcf::get_app_info(app:'Jenkins', port:port, webapp:TRUE);

constraints = [
  {'edition':'Open Source', 'fixed_version':'2.107'},
  {'edition':'Open Source LTS', 'fixed_version':'2.89.4'}
];
vcf::jenkins::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);