CyberSec.Space Logo
Back to CVE Browser

CVE-2018-1000861

Known Exploited (CISA KEV)CRITICAL
9.8
CVSS Severity Score
EPSS Score81.1360%
EPSS Percentile96.49th
PublishedDec 10, 2018
Last ModifiedNov 5, 2025

Vulnerability Description

A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way.

Affected Platforms (CPE)

πŸ“¦
Jenkins

Jenkins

<= 2.138.3
πŸ“¦
Jenkins

Jenkins

<= 2.153
πŸ“¦
Redhat

Openshift Container Platform

= 3.11

References & Advisories

πŸ”— http://packetstormsecurity.com/files/166778/Jenkins-Remote-Code-Execution.html
πŸ”— http://www.securityfocus.com/bid/106176
πŸ”— https://access.redhat.com/errata/RHBA-2019:0024
πŸ”— https://jenkins.io/security/advisory/2018-12-05/#SECURITY-595
πŸ”— http://packetstormsecurity.com/files/166778/Jenkins-Remote-Code-Execution.html
πŸ”— http://www.securityfocus.com/bid/106176
πŸ”— https://access.redhat.com/errata/RHBA-2019:0024
πŸ”— https://jenkins.io/security/advisory/2018-12-05/#SECURITY-595

Related Vulnerabilities

CVE-2019-10030319.9

A sandbox bypass vulnerability exists in Jenkins Matrix Project Plugin 1.13 and earlier in pom.xml, src/main/java/hudson/matrix/Fi...

CVE-2019-10030309.9

A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/jenkinsci/...

CVE-2019-10030299.9

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/plugins/sc...

CVE-2019-10030329.9

A sandbox bypass vulnerability exists in Jenkins Email Extension Plugin 2.64 and earlier in pom.xml, src/main/java/hudson/plugins/...