CVE-2018-1000861
CVE-2018-1000861
In short
Jenkins versions up to 2.153 contain a vulnerability in the Stapler framework that allows attackers to execute arbitrary code by accessing specially crafted URLs, bypassing intended access restrictions on Java methods.
Technical detail
A deserialization and reflection-based code execution flaw in Stapler's MetaClass.java enables remote attackers to invoke unintended Java methods through crafted HTTP requests. The vulnerability affects Jenkins 2.153 and LTS 2.138.3 and earlier, with no authentication required; successful exploitation results in remote code execution with Jenkins process privileges.
Summary generated and translated by AI from the official description.
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/apublic PoCs found — 3
githubgithub.com/1NTheKut/CVE-2019-1003000_RCE-DETECTION★ 4githubgithub.com/smokeintheshell/CVE-2018-1000861★ 0cve_referencepacketstormsecurity.com/files/166778/Jenkins-Remote-Code-Execution.htmlunverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://packetstormsecurity.com/files/166778/Jenkins-Remote-Code-Execution.htmlhttps://access.redhat.com/errata/RHBA-2019:0024https://jenkins.io/security/advisory/2018-12-05/#SECURITY-595https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-1000861http://www.securityfocus.com/bid/106176