CVE-2018-1000861
Published: 10 December 2018
Summary
CVE-2018-1000861 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Jenkins Jenkins. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, as well as LTS 2.138.3 and earlier. The issue is located in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java and is associated with CWE-502. It allows crafted URLs to invoke methods on Java objects that were not intended to be called in this manner, producing a CVSS 3.1 score of 9.8.
Attackers with network access can exploit the flaw without authentication or user interaction by submitting malicious URLs. Successful exploitation grants the ability to execute arbitrary code, resulting in full impacts to confidentiality, integrity, and availability.
Public references, including the Jenkins security advisory at https://jenkins.io/security/advisory/2018-12-05/#SECURITY-595 and the Red Hat errata RHBA-2019:0024, address the issue, while exploit code has been published on Packet Storm.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-4161
Vulnerability details
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended…
more
to be invoked this way.
- CWE(s)
- KEV Date Added
- 10 February 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces restrictions on which object methods may be invoked via URL mappings, blocking the unauthorized invocation path in MetaClass.java.
Requires validation of URL inputs to reject crafted requests that attempt to invoke unintended methods, addressing the root cause of the Stapler flaw.
Limits privileges so that only explicitly authorized methods on Java objects are reachable, reducing the attack surface exploited by malicious URLs.