CVE-2018-1000188
Description
A server-side request forgery vulnerability exists in Jenkins CAS Plugin 1.4.1 and older in CasSecurityRealm.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins CAS Plugin 1.4.1 and older allows SSRF via the doCheckCasServerUrl method, enabling attackers with Overall/Read access to make Jenkins send GET requests to arbitrary URLs.
Vulnerability
A server-side request forgery (SSRF) vulnerability exists in the Jenkins CAS Plugin, affecting versions 1.4.1 and older. The flaw resides in the doCheckCasServerUrl method in CasSecurityRealm.java, which performs a form validation check on the CAS server URL without enforcing any permission check beyond Overall/Read access. Additionally, the method does not require a POST request, making it susceptible to cross-site request forgery (CSRF) attacks [1][3]. The vulnerability allows an attacker with Overall/Read access to cause Jenkins to send a GET request to an attacker-specified URL [3].
Exploitation
An attacker needs only Overall/Read access to Jenkins, which is the default permission for authenticated users. No special privileges or user interaction beyond viewing a crafted page is required. The attacker can exploit the CSRF weakness by tricking an administrator into visiting a malicious page, or directly if the attacker already has Overall/Read access. The attacker can then specify an arbitrary URL via the casServerUrl parameter, and Jenkins will issue a GET request to that URL [1][3]. The fix (commit 25d952151d61dec3627e875f03ac4f648d5e883d) adds @RequirePOST annotation and checks for Jenkins.ADMINISTER permission [4].
Impact
Successful exploitation allows the attacker to leverage Jenkins as a proxy to perform SSRF attacks. The attacker can send GET requests to internal network resources that are reachable from the Jenkins server, potentially accessing sensitive internal services, cloud metadata endpoints, or other systems that are not normally exposed. This could lead to information disclosure or further compromise of internal infrastructure [1][3].
Mitigation
The fixed version is not explicitly stated in the available references, but the commit in [4] applies the fix to the source code. Users should upgrade to CAS Plugin version 1.5.0 or later (the first version after 1.4.1). According to the plugin's GitHub page [2], version 1.6.0 is the latest, but the upgrade path note for older Jenkins versions (2.150.2 to 2.150.3) mentions version 1.4.3, suggesting that 1.4.2 and lower are affected. Users unable to upgrade immediately should ensure that only trusted users have Overall/Read access, and consider enforcing POST requests for form validation via a reverse proxy or other mechanisms. The advisory [1] does not list this CVE in KEV.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:cas-pluginMaven | < 1.4.2 | 1.4.2 |
Affected products
2- Range: <=1.4.1
Patches
125d952151d61Fix SECURITY-809
2 files changed · +5 −1
src/main/java/org/jenkinsci/plugins/cas/CasSecurityRealm.java+4 −0 modified@@ -27,6 +27,7 @@ import org.kohsuke.stapler.QueryParameter; import org.kohsuke.stapler.StaplerRequest; import org.kohsuke.stapler.StaplerResponse; +import org.kohsuke.stapler.interceptor.RequirePOST; import org.springframework.security.cas.ServiceProperties; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.web.AuthenticationEntryPoint; @@ -287,7 +288,10 @@ public String getDisplayName() { return "CAS (Central Authentication Service)"; } + @RequirePOST public FormValidation doCheckCasServerUrl(@QueryParameter String value) throws IOException, ServletException { + Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER); + value = Util.fixEmptyAndTrim(value); if (value == null) return FormValidation.error(Messages.CasSecurityRealm_casServerUrl_missingUrl());
src/main/resources/org/jenkinsci/plugins/cas/CasSecurityRealm/config.jelly+1 −1 modified@@ -1,7 +1,7 @@ <?jelly escape-by-default='true'?> <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form"> <f:entry title="${%casServerUrl}" field="casServerUrl"> - <f:textbox /> + <f:textbox checkMethod="post" /> </f:entry> <f:dropdownDescriptorSelector title="${%casProtocol}" field="casProtocol" /> <f:entry title="${%forceRenewal}" field="forceRenewal">
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-f8r7-7hv9-7f43ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1000188ghsaADVISORY
- github.com/jenkinsci/cas-plugin/commit/25d952151d61dec3627e875f03ac4f648d5e883dghsaWEB
- jenkins.io/security/advisory/2018-06-04/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.