CVE-2018-1000861

high-risk
Published 2018-12-10

A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way.

Do I need to act?

!
94.5% chance of exploitation in next 30 days
EPSS score — higher than 6% of all CVEs
!
CISA KEV: actively exploited in the wild
On the Known Exploited Vulnerabilities catalog — federal agencies must patch
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (3)

Affected Vendors

Redhat Jenkins

References (9)

Third Party Advisory http://packetstormsecurity.com/files/166778/Jenkins-Remote-Code-Execution.html
Broken Link http://www.securityfocus.com/bid/106176
Third Party Advisory https://access.redhat.com/errata/RHBA-2019:0024
Vendor Advisory https://jenkins.io/security/advisory/2018-12-05/#SECURITY-595
Third Party Advisory http://packetstormsecurity.com/files/166778/Jenkins-Remote-Code-Execution.html
Broken Link http://www.securityfocus.com/bid/106176
Third Party Advisory https://access.redhat.com/errata/RHBA-2019:0024
Vendor Advisory https://jenkins.io/security/advisory/2018-12-05/#SECURITY-595
US Government Resource https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-...
Get this data via API
curl -H "Authorization: Bearer YOUR_KEY" \
  https://cyber.phasetransitions.ai/api/v1/cves/CVE-2018-1000861
Free tier: 100 requests/day, no credit card.
68
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 27/34 · High
Exposure 9/34 · Low