CVE-2018-1000861

CWE-502Deserialization of Untrusted Data14 documents11 sources
9.8
CVSS
CRITICAL
EPSS94.5%(100th)
CISA KEVPublic ExploitExploited in Wild
CISA Required Action: Apply updates per vendor instructions.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

Mavenorg.jenkins-ci.main:jenkins-core2.1402.154+1
NVDjenkins/jenkins2.138.3+1

Also affects: Openshift Container Platform 3.11

A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way.
NVDMITRE

🔴Vulnerability Details

4
OSV
Deserialization of Untrusted Data in Jenkins2022-05-13
GHSA
Deserialization of Untrusted Data in Jenkins2022-05-13
CVEList
CVE-2018-1000861: A code execution vulnerability exists in the Stapler web framework used by Jenkins 22018-12-10
VulnCheck
Jenkins Stapler Web Framework Deserialization of Untrusted Data Vulnerability2018

💥Exploits & PoCs

1
Nuclei
Jenkins - Remote Command Injection

🔍Detection Rules

3
Suricata
ET WEB_SPECIFIC_APPS Jenkins Chained Exploits CVE-2018-1000861 and CVE-2019-1003000 M32025-03-03
Suricata
ET WEB_SPECIFIC_APPS Jenkins Chained Exploits CVE-2018-1000861 and CVE-2019-1003000 M12019-05-10
Suricata
ET WEB_SPECIFIC_APPS Jenkins Chained Exploits CVE-2018-1000861 and CVE-2019-1003000 M22019-05-10

📋Vendor Advisories

3
CISA
Jenkins Stapler Web Framework Deserialization of Untrusted Data Vulnerability2022-02-10
Red Hat
jenkins: code execution through crafted URLs (SECURITY-595)2018-12-05
Jenkins
Jenkins Security Advisory 2018-12-052018-12-05

🕵️Threat Intelligence

2
Talos
Watchbog and the Importance of Patching2019-09-11
Talos
Watchbog and the Importance of Patching2019-09-11