Main Vulnerability Database Vulnerabilities #VU14004

#VU14004 Arbitrary file read in Jenkins - CVE-2018-1999002

Published: July 26, 2018 / Updated: June 17, 2021

Vulnerability identifier: #VU14004

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear

CVE-ID: CVE-2018-1999002

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vulnerable software:
Jenkins

Software vendor:
Jenkins

Description

The disclosed vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to arbitrary file read in the Stapler web framework's org/kohsuke/stapler/Stapler.java. A remote attacker can send specially crafted HTTP requests and return the contents of any file on the Jenkins master file system that the Jenkins master has access to.

Remediation

The vulnerability is addressed in the versions 1.121.2, 1.133.

External links

https://jenkins.io/security/advisory/2018-07-18/#SECURITY-897

#VU14004 Arbitrary file read in Jenkins - CVE-2018-1999002

Description

Remediation

External links

Please verify you're human