Main Vulnerability Database Vulnerabilities #VU14004

Arbitrary file read in Jenkins - CVE-2018-1999002

Published: July 26, 2018 / Updated: June 17, 2021

Vulnerability identifier: #VU14004

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear

CVE-ID: CVE-2018-1999002

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vendor: Jenkins

Affected software:
Jenkins

Detailed vulnerability description

The disclosed vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to arbitrary file read in the Stapler web framework's org/kohsuke/stapler/Stapler.java. A remote attacker can send specially crafted HTTP requests and return the contents of any file on the Jenkins master file system that the Jenkins master has access to.

How to mitigate CVE-2018-1999002

The vulnerability is addressed in the versions 1.121.2, 1.133.

Sources

https://jenkins.io/security/advisory/2018-07-18/#SECURITY-897

Arbitrary file read in Jenkins - CVE-2018-1999002

Detailed vulnerability description

How to mitigate CVE-2018-1999002

Sources

Please verify you're human