Vulnerabilities > CVE-2018-1999003 - Incorrect Authorization vulnerability in multiple products

047910
CVSS 4.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
low complexity
jenkins
oracle
CWE-863
nessus
NVD
Published: 2018-07-23
Updated: 2022-06-13

Summary

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Queue.java that allows attackers with Overall/Read permission to cancel queued builds.

Vulnerable Configurations

Part Description Count
Application
Jenkins
1786
Application
Oracle
1

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyCGI abuses
    NASL idJENKINS_2_133.NASL
    descriptionThe version of Jenkins running on the remote web server is prior to 2.133 or is a version of Jenkins LTS prior to 2.121.2. It is, therefore, affected by multiple vulnerabilities. Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id111603
    published2018-08-09
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111603
    titleJenkins < 2.121.2 / 2.133 Multiple Vulnerabilities
    code
    #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(111603);
  script_version("1.5");
  script_cvs_date("Date: 2019/11/04");

  script_cve_id(
    "CVE-2018-1999001",
    "CVE-2018-1999002",
    "CVE-2018-1999003",
    "CVE-2018-1999004",
    "CVE-2018-1999005",
    "CVE-2018-1999006",
    "CVE-2018-1999007"
  );

  script_name(english:"Jenkins < 2.121.2 / 2.133 Multiple Vulnerabilities");
  script_summary(english:"Checks the Jenkins version.");

  script_set_attribute(attribute:"synopsis", value:
"A job scheduling and management system hosted on the remote web server
is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Jenkins running on the remote web server is prior to
2.133 or is a version of Jenkins LTS prior to 2.121.2. It is,
therefore, affected by multiple vulnerabilities.

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.");
  script_set_attribute(attribute:"see_also", value:"https://jenkins.io/security/advisory/2018-07-18/");
  script_set_attribute(attribute:"solution", value:
"Upgrade Jenkins to version 2.133 or later, Jenkins LTS to version
2.121.2 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-1999002");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/07/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/09");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cloudbees:jenkins");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("jenkins_detect.nasl");
  script_require_keys("www/Jenkins");
  script_require_ports("Services/www", 8080);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:8080);
get_kb_item_or_exit("www/Jenkins/"+port+"/Installed");
url = build_url(qs:'/', port:port);

version = '';
fix = '';
if (get_kb_item("www/Jenkins/"+port+"/is_LTS") )
{
  appname = "Jenkins Open Source LTS";
  fix = '2.121.2';
}
else
{
  appname = "Jenkins Open Source";
  fix = '2.133';
}

version = get_kb_item("www/Jenkins/" + port + "/JenkinsVersion");
if (version == 'unknown')
{
  audit(AUDIT_UNKNOWN_WEB_APP_VER, appname, url);
}

if (ver_compare(ver:version, fix:fix, strict:FALSE) < 0)
{
  report =
    '\n  URL           : ' + url +
    '\n  Product       : ' + appname +
    '\n  Version       : ' + version +
    '\n  Fixed version : ' + fix +
    '\n';

  security_report_v4(port:port, severity:SECURITY_WARNING, extra:report, xss:TRUE);
}
else audit(AUDIT_WEB_APP_NOT_AFFECTED, appname, url, version);
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_20A1881E8A9E11E8BDDFD017C2CA229D.NASL
    descriptionJenkins Security Advisory : Description(High) SECURITY-897 / CVE-2018-1999001 Users without Overall/Read permission can have Jenkins reset parts of global configuration on the next restart (High) SECURITY-914 / CVE-2018-1999002 Arbitrary file read vulnerability (Medium) SECURITY-891 / CVE-2018-1999003 Unauthorized users could cancel queued builds (Medium) SECURITY-892 / CVE-2018-1999004 Unauthorized users could initiate and abort agent launches (Medium) SECURITY-944 / CVE-2018-1999005 Stored XSS vulnerability (Medium) SECURITY-925 / CVE-2018-1999006 Unauthorized users are able to determine when a plugin was extracted from its JPI package (Medium) SECURITY-390 / CVE-2018-1999007 XSS vulnerability in Stapler debug mode
    last seen2020-06-01
    modified2020-06-02
    plugin id111176
    published2018-07-20
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111176
    titleFreeBSD : jenkins -- multiple vulnerabilities (20a1881e-8a9e-11e8-bddf-d017c2ca229d)

References