Multiple vulnerabilities in Jenkins
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2018-1000864 CVE-2018-1000862 CVE-2018-1000863 CVE-2018-1000861 |
| CWE-ID | CWE-20 CWE-200 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #3 is available. Vulnerability #4 is being exploited in the wild. |
| Vulnerable software Subscribe |
Jenkins Server applications / Application servers |
| Vendor | Jenkins |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Improper input validation
EUVDB-ID: #VU16572
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-1000864
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to cause DoS condition.
The vulnerability exists due to improper form validation for cron expressions. A remote attacker can send a specially crafted request that submits malicious input and block request handling threads, resulting in a DoS condition.
MitigationThe vulnerability has been fixed in the versions 2.154, 2.138.4, and 2.150.1.
Vulnerable software versionsJenkins: 2.19.2 - 2.153
External linkshttp://jenkins.io/security/advisory/2018-12-05/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information disclosure
EUVDB-ID: #VU16573
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-1000862
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to obtain potentially sensitive information.
The vulnerability exists due to the DirectoryBrowserSupport.java code of the affected software allows access to the filesystem outside the workspace to extend beyond the execution of a build on an affected agent. A remote attacker with the ability to control build output to browse the filesystem on agents running builds beyond the duration of the build using the workspace browser can access sensitive file information.
MitigationThe vulnerability has been fixed in the versions 2.154, 2.138.4, and 2.150.1.
Vulnerable software versionsJenkins: 2.19.2 - 2.153
External linkshttp://jenkins.io/security/advisory/2018-12-05/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper input validation
EUVDB-ID: #VU16574
Risk: Low
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-1000863
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to cause DoS condition.
The vulnerability exists in the User.java and IdStrategy.java codes of Jenkins due to insufficient validation of user names by the affected software. A remote attacker can attempt to log in to the affected application with a user name that submits malicious input, improperly force the migration of user records, which could result in a DoS condition by preventing other users of the application from logging in.
MitigationThe vulnerability has been fixed in the versions 2.154, 2.138.4, and 2.150.1.
Vulnerable software versionsJenkins: 2.19.2 - 2.153
External linkshttp://jenkins.io/security/advisory/2018-12-05/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
4) Improper input validation
EUVDB-ID: #VU16575
Risk: High
CVSSv3.1: 9.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C]
CVE-ID: CVE-2018-1000861
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote unauthenticated attacker to execute arbitrary code on the target system.
The vulnerability exists due to due to improper handling of HTTP requests by the stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java code of the Stapler web framework used by the affected software. A remote attacker can trick the victim into accessing a specially crafted link that submits malicious input, invoke certain methods that are not intended to be invoked, which the attacker can use to execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
MitigationThe vulnerability has been fixed in the versions 2.154, 2.138.4, and 2.150.1.
Vulnerable software versionsJenkins: 2.19.2 - 2.153
External linkshttp://jenkins.io/security/advisory/2018-12-05/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
