Server-side Request Forgery Vulnerability in Jenkins 2.120 and Older: Arbitrary URL Submission and Response Verification

Server-side Request Forgery Vulnerability in Jenkins 2.120 and Older: Arbitrary URL Submission and Response Verification

CVE-2018-1000195 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not.

Learn more about our Cis Benchmark Audit For Server Software.