{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/12262?format=json","vulnerability_id":"VCID-6tep-1v3c-bbhb","summary":"Cross-Site Request Forgery (CSRF)\nA cross-site request forgery vulnerability exists in Jenkins vSphere that allows attackers to perform form validation related actions, including sending numerous requests to the configured vSphere server, potentially resulting in denial of service, or send credentials stored in Jenkins with known ID to an attacker-specified server (`test connection`).","aliases":[{"alias":"CVE-2018-1000153"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/54290?format=json","purl":"pkg:maven/org.jenkins-ci.plugins/vsphere-cloud@2.17","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.plugins/vsphere-cloud@2.17"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/54289?format=json","purl":"pkg:maven/org.jenkins-ci.plugins/vsphere-cloud@2.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4afq-qvvv-c3cn"},{"vulnerability":"VCID-5q75-nedf-p7fm"},{"vulnerability":"VCID-6tep-1v3c-bbhb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.plugins/vsphere-cloud@2.16"}],"references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-1000153","reference_id":"","reference_type":"","scores":[{"value":"0.00058","scoring_system":"epss","scoring_elements":"0.18544","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-1000153"},{"reference_url":"https://jenkins.io/security/advisory/2018-03-26/#SECURITY-745","reference_id":"","reference_type":"","scores":[],"url":"https://jenkins.io/security/advisory/2018-03-26/#SECURITY-745"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000153","reference_id":"CVE-2018-1000153","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000153"}],"weaknesses":[{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."},{"cwe_id":352,"name":"Cross-Site Request Forgery (CSRF)","description":"The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."}],"exploits":[],"severity_range_score":null,"exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6tep-1v3c-bbhb"}