1. Home
  2. Vulnerabilities
  3. CVE-2018-1000861

CVE-2018-1000861

CVSS v3.1 9.8 (Critical)
98% Progress
CVSS v2.0 10 (High)
100% Progress
EPSS 97.30 % (100th)
97.30% Progress
Affected Products 2
Advisories 3
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software Tools, Exploits & PoC Graph Web & Social Timeline

A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way.

Weaknesses
CWE-502
Deserialization of Untrusted Data
CVE Status
PUBLISHED
CNA
MITRE
Published Date
2018-12-10 14:29:01
(5 years ago)
Updated Date
2022-06-13 19:00:57
(2 years ago)
Jenkins Stapler Web Framework Deserialization of Untrusted Data Vulnerability (CISA - Known Exploited Vulnerabilities Catalog)
Description
A code execution vulnerability exists in the Stapler web framework used by Jenkins
Required Action
Apply updates per vendor instructions.
Known to be Used in Ransomware Campaigns
Unknown
Notes
https://nvd.nist.gov/vuln/detail/CVE-2018-1000861
Vendor
Jenkins
Product
Jenkins Stapler Web Framework
In CISA Catalog from
2022-02-10
(2 years ago)
Due Date
2022-08-10
(2 years ago)

Affected Products

Jenkins

Redhat

Configuration #1

    CPE23 From Up To
  Jenkins 2.138.3 and prior versions cpe:2.3:a:jenkins:jenkins::*:*:*:lts <= 2.138.3
  Jenkins 2.153 and prior versions cpe:2.3:a:jenkins:jenkins::*:*:*:- <= 2.153

Configuration #2

    CPE23 From Up To
  Redhat Openshift Container Platform 3.11 cpe:2.3:a:redhat:openshift_container_platform:3.11