← Back to CVEs

CVE-2018-1000861

CRITICALCISA KEV

9.8

Description

A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way.

CVE Details

CVSS v3.1 Score9.8

SeverityCRITICAL

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack VectorNETWORK

ComplexityLOW

Privileges RequiredNONE

User InteractionNONE

Published12/10/2018

Last Modified11/5/2025

Sourcekev

Honeypot Sightings0

CISA KEV

VendorJenkins

ProductJenkins Stapler Web Framework

Vulnerability NameJenkins Stapler Web Framework Deserialization of Untrusted Data Vulnerability

KEV Date Added2022-02-10

Remediation Due Date2022-08-10

Ransomware UseUnknown

Affected Products

jenkins:jenkinsredhat:openshift_container_platform

Weaknesses (CWE)

CWE-502CWE-502

References

http://packetstormsecurity.com/files/166778/Jenkins-Remote-Code-Execution.html(cve@mitre.org)

http://www.securityfocus.com/bid/106176(cve@mitre.org)

https://access.redhat.com/errata/RHBA-2019:0024(cve@mitre.org)

https://jenkins.io/security/advisory/2018-12-05/#SECURITY-595(cve@mitre.org)

http://packetstormsecurity.com/files/166778/Jenkins-Remote-Code-Execution.html(af854a3a-2127-422b-91ae-364da2661108)

http://www.securityfocus.com/bid/106176(af854a3a-2127-422b-91ae-364da2661108)

https://access.redhat.com/errata/RHBA-2019:0024(af854a3a-2127-422b-91ae-364da2661108)

https://jenkins.io/security/advisory/2018-12-05/#SECURITY-595(af854a3a-2127-422b-91ae-364da2661108)

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-1000861(134c704f-9b21-4f2e-91b3-4a467353bcc0)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.