Cyber Resilience

CVE-2018-1000861

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 10 December 2018

Published
10 December 2018
Modified
05 November 2025
KEV Added
10 February 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9448 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-1000861 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Jenkins Jenkins. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, as well as LTS 2.138.3 and earlier. The issue is located in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java and is associated with CWE-502. It allows crafted URLs to invoke methods on Java objects that were not intended to be called in this manner, producing a CVSS 3.1 score of 9.8.

Attackers with network access can exploit the flaw without authentication or user interaction by submitting malicious URLs. Successful exploitation grants the ability to execute arbitrary code, resulting in full impacts to confidentiality, integrity, and availability.

Public references, including the Jenkins security advisory at https://jenkins.io/security/advisory/2018-12-05/#SECURITY-595 and the Red Hat errata RHBA-2019:0024, address the issue, while exploit code has been published on Packet Storm.

EU & UK References

Vulnerability details

A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended…

more

to be invoked this way.

CWE(s)
KEV Date Added
10 February 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

jenkins
jenkins
≤ 2.138.3 · ≤ 2.153
redhat
openshift container platform
3.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces restrictions on which object methods may be invoked via URL mappings, blocking the unauthorized invocation path in MetaClass.java.

prevent

Requires validation of URL inputs to reject crafted requests that attempt to invoke unintended methods, addressing the root cause of the Stapler flaw.

prevent

Limits privileges so that only explicitly authorized methods on Java objects are reachable, reducing the attack surface exploited by malicious URLs.

References