CVE-2017-1000085

Subversion Plugin connects to a user-specified Subversion repository as part of form validation (e.g. to retrieve a list of tags). This functionality improperly checked permissions, allowing any user with Item/Build permission (but not Item/Configure) to connect to any web server or Subversion server and send credentials with a known ID, thereby possibly capturing them. Additionally, this functionality did not require POST requests be used, thereby allowing the above to be performed without direct access to Jenkins via Cross-Site Request Forgery attacks.

CVSS v3 6.5 MEDIUM
CVSS v2.0 4.3 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector : AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://www.securityfocus.com/bid/99574	Third Party Advisory VDB Entry
https://jenkins.io/security/advisory/2017-07-10/	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:jenkins:subversion:*:*:*:*:*:jenkins:*:*

History

No history.

Information

Published : 2017-10-05 01:29

Updated : 2023-12-10 12:15

NVD link : CVE-2017-1000085

Mitre link : CVE-2017-1000085

CVE.ORG link : CVE-2017-1000085

JSON object : View

Products Affected

jenkins

subversion

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2017-1000085", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2017-10-05T01:29:03.540", "references": [{"url": "http://www.securityfocus.com/bid/99574", "tags": ["Third Party Advisory", "VDB Entry"], "source": "cve@mitre.org"}, {"url": "https://jenkins.io/security/advisory/2017-07-10/", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "Subversion Plugin connects to a user-specified Subversion repository as part of form validation (e.g. to retrieve a list of tags). This functionality improperly checked permissions, allowing any user with Item/Build permission (but not Item/Configure) to connect to any web server or Subversion server and send credentials with a known ID, thereby possibly capturing them. Additionally, this functionality did not require POST requests be used, thereby allowing the above to be performed without direct access to Jenkins via Cross-Site Request Forgery attacks."}, {"lang": "es", "value": "El plugin Subversion conecta con un repositorio Subversion especificado por el usuario como parte de una validaci\u00f3n de formulario (por ejemplo, para recuperar una lista de etiquetas). La herramienta no comprueba correctamente los permisos, lo que permite que cualquier usuario con permisos Item/Build (pero no Item/Configure) se conecte a cualquier servidor web o servidor Subversion y env\u00ede credenciales con un ID conocido, pudiendo capturarlas en consecuencia. Adem\u00e1s, esta funcionalidad no necesita utilizar peticiones POST, lo que permite que se realice lo anterior sin tener acceso directo a Jenkins mediante ataques de tipo Cross-Site Request Forgery (CSRF)."}], "lastModified": "2017-11-02T16:06:34.887", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:subversion:*:*:*:*:*:jenkins:*:*", "vulnerable": true, "matchCriteriaId": "9DB3B3E5-3597-47C3-94F9-679392CAF0B1", "versionEndIncluding": "2.8"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}