CVE-2018-1000861
Jenkins Stapler Web Framework Deserialization of Untrusted Data Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
YesDecision
Descriptions
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way.
Existe una vulnerabilidad de ejecución de código en el framework web de Stapler empleando por Jenkins en versiones 2.153 y anteriores, y LTS 2.138.3 y anteriores en stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java que permite que los atacantes invoquen algunos métodos sobre objetos Java mediante el acceso a URL manipuladas que no deberían invocarse de esta forma.
A code execution vulnerability exists in the Stapler web framework used by Jenkins
CVSS Scores
SSVC
- Decision:-
Timeline
- 2018-12-10 CVE Reserved
- 2018-12-10 CVE Published
- 2022-02-10 Exploited in Wild
- 2022-04-20 First Exploit
- 2022-08-10 KEV Due Date
- 2024-08-05 CVE Updated
- 2024-11-19 EPSS Updated
CWE
- CWE-502: Deserialization of Untrusted Data
CAPEC
References (11)
| URL | Date | SRC |
|---|---|---|
| https://github.com/orangetw/awesome-jenkins-rce-2019 | 2022-04-20 | |
| https://github.com/smokeintheshell/CVE-2018-1000861 | 2023-09-13 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/errata/RHBA-2019:0024 | 2022-06-13 | |
| https://jenkins.io/security/advisory/2018-12-05/#SECURITY-595 | 2022-06-13 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Jenkins Search vendor "Jenkins" | Jenkins Search vendor "Jenkins" for product "Jenkins" | <= 2.138.3 Search vendor "Jenkins" for product "Jenkins" and version " <= 2.138.3" | lts |
Affected
| ||||||
| Jenkins Search vendor "Jenkins" | Jenkins Search vendor "Jenkins" for product "Jenkins" | <= 2.153 Search vendor "Jenkins" for product "Jenkins" and version " <= 2.153" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform" | 3.11 Search vendor "Redhat" for product "Openshift Container Platform" and version "3.11" | - |
Affected
| ||||||