Information disclosure in Jenkins - CVE-2018-1000862
Published: December 18, 2018
Vulnerability identifier: #VU16573
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-1000862
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Jenkins
Affected software:
Jenkins
Jenkins
Detailed vulnerability description
The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information.
The vulnerability exists due to the DirectoryBrowserSupport.java code of the affected software allows access to the filesystem outside the workspace to extend beyond the execution of a build on an affected agent. A remote attacker with the ability to control build output to browse the filesystem on agents running builds beyond the duration of the build using the workspace browser can access sensitive file information.
How to mitigate CVE-2018-1000862
The vulnerability has been fixed in the versions 2.154, 2.138.4, and 2.150.1.