← Retour aux CVEs
CVE-2018-1000861
CRITICALCISA KEV9.8
Description
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way.
Details CVE
Score CVSS v3.19.8
SeveriteCRITICAL
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisNONE
Interaction utilisateurNONE
Publie12/10/2018
Derniere modification11/5/2025
Sourcekev
Observations honeypot0
CISA KEV
FournisseurJenkins
ProduitJenkins Stapler Web Framework
Nom vulnerabiliteJenkins Stapler Web Framework Deserialization of Untrusted Data Vulnerability
Date ajout KEV2022-02-10
Date limite remediation2022-08-10
Utilise dans ransomwareUnknown
Produits affectes
jenkins:jenkinsredhat:openshift_container_platform
Faiblesses (CWE)
CWE-502CWE-502
References
http://www.securityfocus.com/bid/106176(cve@mitre.org)
https://access.redhat.com/errata/RHBA-2019:0024(cve@mitre.org)
http://packetstormsecurity.com/files/166778/Jenkins-Remote-Code-Execution.html(af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/106176(af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHBA-2019:0024(af854a3a-2127-422b-91ae-364da2661108)
https://jenkins.io/security/advisory/2018-12-05/#SECURITY-595(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-1000861(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.