CVE-2018-1000862Sensitive Information Exposure in Jenkins

CWE-200Sensitive Information ExposureCWE-59Link Following11 documents7 sources
Severity
4.3MEDIUMNVD
EPSS
0.2%
top 59.82%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
JenkinsRedhat Openshift Container Platform
Timeline
PublishedDec 10
Latest updateMay 24

Description

An information exposure vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in DirectoryBrowserSupport.java that allows attackers with the ability to control build output to browse the file system on agents running builds beyond the duration of the build using the workspace browser.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

NVDjenkins/jenkins2.138.3+1

Also affects: Openshift Container Platform 3.11

🔴Vulnerability Details

5
GHSA
Arbitrary file read vulnerability in workspace browsers in Jenkins2022-05-24
OSV
Arbitrary file read vulnerability in workspace browsers in Jenkins2022-05-24
OSV
Exposure of Sensitive Information to an Unauthorized Actor in Jenkins2022-05-14
GHSA
Exposure of Sensitive Information to an Unauthorized Actor in Jenkins2022-05-14
CVEList
CVE-2018-1000862: An information exposure vulnerability exists in Jenkins 22018-12-10

📋Vendor Advisories

3
Jenkins
Jenkins Security Advisory 2021-01-132021-01-13
Red Hat
jenkins: workspace browser allowed accessing files outside the workspace (SECURITY-904)2018-12-05
Jenkins
Jenkins Security Advisory 2018-12-052018-12-05

💬Community

2
Bugzilla
CVE-2018-1000862 jenkins: workspace browser allowed accessing files outside the workspace (SECURITY-904) [fedora-all]2018-12-06
Bugzilla
CVE-2018-1000862 jenkins: workspace browser allowed accessing files outside the workspace (SECURITY-904)2018-12-06
CVE-2018-1000862 — Sensitive Information Exposure | cvebase