CVE-2018-1000411 - OpenCVE

A cross-site request forgery vulnerability exists in Jenkins JUnit Plugin 1.25 and earlier in TestObject.java that allows setting the description of a test result.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Jenkins	Junit

Configuration 1 [-]

cpe:2.3:a:jenkins:junit:*:*:*:*:*:jenkins:*:*

No data.

References

Link	Providers
http://www.securityfocus.com/bid/106532
https://github.com/jenkinsci/junit-plugin/commit/091ee0dc8dd6023713827ce1a5914fa9fa9b6043
https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1101
https://nvd.nist.gov/vuln/detail/CVE-2018-1000411
https://www.cve.org/CVERecord?id=CVE-2018-1000411

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-01-09T23:00:00

Updated: 2024-08-05T12:40:47.011Z

Reserved: 2019-01-09T00:00:00

Link: CVE-2018-1000411

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-01-09T23:29:02.450

Modified: 2019-01-28T20:33:33.863

Link: CVE-2018-1000411

Redhat

Severity : Moderate

Publid Date: 2018-09-25T00:00:00Z

Links: CVE-2018-1000411 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "dateAssigned": "2018-12-28T00:00:00", "datePublic": "2018-09-25T00:00:00", "descriptions": [{"lang": "en", "value": "A cross-site request forgery vulnerability exists in Jenkins JUnit Plugin 1.25 and earlier in TestObject.java that allows setting the description of a test result."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-01-14T10:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1101"}, {"name": "106532", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/106532"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "DATE_ASSIGNED": "2018-12-28T04:34:37.679451", "ID": "CVE-2018-1000411", "REQUESTER": "ml@beckweb.net", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A cross-site request forgery vulnerability exists in Jenkins JUnit Plugin 1.25 and earlier in TestObject.java that allows setting the description of a test result."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1101", "refsource": "CONFIRM", "url": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1101"}, {"name": "106532", "refsource": "BID", "url": "http://www.securityfocus.com/bid/106532"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T12:40:47.011Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1101"}, {"name": "106532", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/106532"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-1000411", "datePublished": "2019-01-09T23:00:00", "dateReserved": "2019-01-09T00:00:00", "dateUpdated": "2024-08-05T12:40:47.011Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:junit:*:*:*:*:*:jenkins:*:*", "matchCriteriaId": "07AEA726-BD7E-4234-A8D6-E203D2044CFB", "versionEndIncluding": "1.25", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A cross-site request forgery vulnerability exists in Jenkins JUnit Plugin 1.25 and earlier in TestObject.java that allows setting the description of a test result."}, {"lang": "es", "value": "Una vulnerabilidad de Cross-Site Request Forgery (CSRF) existe en Jenkins JUnit Plugin, en sus versiones 1.25 y anteriores, en TestObject.java que permite la configuraci\u00f3n de la descripci\u00f3n de un resultado de prueba."}], "id": "CVE-2018-1000411", "lastModified": "2019-01-28T20:33:33.863", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-01-09T23:29:02.450", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/106532"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1101"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "jenkins-plugin-junit: CSRF due to URL not requiring POST requests", "id": "1639388", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1639388"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-352", "details": ["A cross-site request forgery vulnerability exists in Jenkins JUnit Plugin 1.25 and earlier in TestObject.java that allows setting the description of a test result."], "name": "CVE-2018-1000411", "package_state": [{"cpe": "cpe:/a:redhat:openshift:3.10", "fix_state": "Will not fix", "impact": "low", "package_name": "jenkins-2-plugins", "product_name": "Red Hat OpenShift Container Platform 3.10"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Will not fix", "impact": "low", "package_name": "jenkins-2-plugins", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:3.3", "fix_state": "Will not fix", "package_name": "jenkins-plugin-junit", "product_name": "Red Hat OpenShift Container Platform 3.3"}, {"cpe": "cpe:/a:redhat:openshift:3.4", "fix_state": "Will not fix", "package_name": "jenkins-plugin-junit", "product_name": "Red Hat OpenShift Container Platform 3.4"}, {"cpe": "cpe:/a:redhat:openshift:3.5", "fix_state": "Will not fix", "package_name": "jenkins-plugin-junit", "product_name": "Red Hat OpenShift Container Platform 3.5"}, {"cpe": "cpe:/a:redhat:openshift:3.6", "fix_state": "Will not fix", "impact": "low", "package_name": "jenkins-2-plugins", "product_name": "Red Hat OpenShift Container Platform 3.6"}, {"cpe": "cpe:/a:redhat:openshift:3.7", "fix_state": "Will not fix", "impact": "low", "package_name": "jenkins-2-plugins", "product_name": "Red Hat OpenShift Container Platform 3.7"}, {"cpe": "cpe:/a:redhat:openshift:3.9", "fix_state": "Will not fix", "impact": "low", "package_name": "jenkins-2-plugins", "product_name": "Red Hat OpenShift Container Platform 3.9"}], "public_date": "2018-09-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2018-1000411\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-1000411\nhttps://github.com/jenkinsci/junit-plugin/commit/091ee0dc8dd6023713827ce1a5914fa9fa9b6043\nhttps://jenkins.io/security/advisory/2018-09-25/#SECURITY-1101"], "statement": "For Openshift, Jenkins is used within the infrastructure and deployment in OCP. The package is delivered within the technology but not used by default in production environments. It requires additional configuration in running environments which would be mainly use on testing applications being deployed. \nThe update is in the latest version released with Red Hat OpenShift 3.11.", "threat_severity": "Moderate", "upstream_fix": "jenkins-plugin-junit 1.26"}