Description

A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not.

Remediation

References

CVE-2018-1000195

Related Vulnerabilities

Oracle HTTP Server CVE-2007-0280 Vulnerability (CVE-2007-0280)

WordPress Plugin Tickera-WordPress Event Ticketing Cross-Site Scripting (3.4.8.2)

Joomla Improper Input Validation Vulnerability (CVE-2020-10240)

WordPress Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2007-4894)

Internet Information Services Other Vulnerability (CVE-2002-1695)

Severity

Medium

Classification

CVE-2018-1000195 CWE-352 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Tags

Missing Update Known Vulnerabilities