CVE-2018-1000152
https://notcve.org/view.php?id=CVE-2018-1000152
An improper authorization vulnerability exists in Jenkins vSphere Plugin 2.16 and older in Clone.java, CloudSelectorParameter.java, ConvertToTemplate.java, ConvertToVm.java, Delete.java, DeleteSnapshot.java, Deploy.java, ExposeGuestInfo.java, FolderVSphereCloudProperty.java, PowerOff.java, PowerOn.java, Reconfigure.java, Rename.java, RenameSnapshot.java, RevertToSnapshot.java, SuspendVm.java, TakeSnapshot.java, VSphereBuildStepContainer.java, vSphereCloudProvisionedSlave.java, vSphereCloudSlave.java, vSphereCloudSlaveTemplate.java, VSphereConnectionConfig.java, vSphereStep.java that allows attackers to perform form validation related actions, including sending numerous requests to the configured vSphere server, potentially resulting in denial of service, or send credentials stored in Jenkins with known ID to an attacker-specified server ("test connection"). Existe una vulnerabilidad de autorización incorrecta en el plugin vSphere en Jenkins, en versiones 2.16 y anteriores, en Clone.java, CloudSelectorParameter.java, ConvertToTemplate.java, ConvertToVm.java, Delete.java, DeleteSnapshot.java, Deploy.java, ExposeGuestInfo.java, FolderVSphereCloudProperty.java, PowerOff.java, PowerOn.java, Reconfigure.java, Rename.java, RenameSnapshot.java, RevertToSnapshot.java, SuspendVm.java, TakeSnapshot.java, VSphereBuildStepContainer.java, vSphereCloudProvisionedSlave.java, vSphereCloudSlave.java, vSphereCloudSlaveTemplate.java, VSphereConnectionConfig.java y vSphereStep.java que permite que los atacantes realicen acciones relacionadas con la validación de formularios, incluyendo el envío de numerosas peticiones al servidor vSphere configurado. Esto podría resultar en una denegación de servicio (DoS) o en el envío de credenciales almacenadas en Jenkins con un ID conocido a un servidor especificado por el atacante ("test connection"). • https://jenkins.io/security/advisory/2018-03-26/#SECURITY-745 • CWE-863: Incorrect Authorization •
CVE-2018-1000153
https://notcve.org/view.php?id=CVE-2018-1000153
A cross-site request forgery vulnerability exists in Jenkins vSphere Plugin 2.16 and older in Clone.java, CloudSelectorParameter.java, ConvertToTemplate.java, ConvertToVm.java, Delete.java, DeleteSnapshot.java, Deploy.java, ExposeGuestInfo.java, FolderVSphereCloudProperty.java, PowerOff.java, PowerOn.java, Reconfigure.java, Rename.java, RenameSnapshot.java, RevertToSnapshot.java, SuspendVm.java, TakeSnapshot.java, VSphereBuildStepContainer.java, vSphereCloudProvisionedSlave.java, vSphereCloudSlave.java, vSphereCloudSlaveTemplate.java, VSphereConnectionConfig.java, vSphereStep.java that allows attackers to perform form validation related actions, including sending numerous requests to the configured vSphere server, potentially resulting in denial of service, or send credentials stored in Jenkins with known ID to an attacker-specified server ("test connection"). Existe una vulnerabilidad de Cross-Site Request Forgery (CSRF) en el plugin vSphere en Jenkins, en versiones 2.16 y anteriores, en Clone.java, CloudSelectorParameter.java, ConvertToTemplate.java, ConvertToVm.java, Delete.java, DeleteSnapshot.java, Deploy.java, ExposeGuestInfo.java, FolderVSphereCloudProperty.java, PowerOff.java, PowerOn.java, Reconfigure.java, Rename.java, RenameSnapshot.java, RevertToSnapshot.java, SuspendVm.java, TakeSnapshot.java, VSphereBuildStepContainer.java, vSphereCloudProvisionedSlave.java, vSphereCloudSlave.java, vSphereCloudSlaveTemplate.java, VSphereConnectionConfig.java y vSphereStep.java que permite que los atacantes realicen acciones relacionadas con la validación de formularios, incluyendo el envío de numerosas peticiones al servidor vSphere configurado. Esto podría resultar en una denegación de servicio (DoS) o en el envío de credenciales almacenadas en Jenkins con un ID conocido a un servidor especificado por el atacante ("test connection"). • https://jenkins.io/security/advisory/2018-03-26/#SECURITY-745 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2018-1000151
https://notcve.org/view.php?id=CVE-2018-1000151
A man in the middle vulnerability exists in Jenkins vSphere Plugin 2.16 and older in VSphere.java that disables SSL/TLS certificate validation by default. Existe una vulnerabilidad Man-in-the-Middle (MitM) en el plugin vSphere en Jenkins, en versiones 2.16 y anteriores, en VSphere.java que deshabilita la validación de certificados SSL/TLS por defecto. • https://jenkins.io/security/advisory/2018-03-26/#SECURITY-504 • CWE-295: Improper Certificate Validation •
CVE-2012-1512
https://notcve.org/view.php?id=CVE-2012-1512
Cross-site scripting (XSS) vulnerability in the internal browser in vSphere Client in VMware vSphere 4.1 before Update 2 and 5.0 before Update 1 allows remote attackers to inject arbitrary web script or HTML via a crafted log-file entry. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en el navegador interno en vSphere Client en VMWare vSphere v4.1 anterior a Update v2 y v5.0 anterior a Update v1 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de una entrada log-file manipulada. • http://osvdb.org/80119 http://secunia.com/advisories/48387 http://www.securityfocus.com/bid/52525 http://www.securitytracker.com/id?1026817 http://www.vmware.com/security/advisories/VMSA-2012-0005.html https://exchange.xforce.ibmcloud.com/vulnerabilities/74093 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •