#VU16573 Information disclosure in Jenkins - CVE-2018-1000862
Published: December 18, 2018
Vulnerability identifier: #VU16573
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-1000862
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Jenkins
Jenkins
Software vendor:
Jenkins
Jenkins
Description
The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information.
The vulnerability exists due to the DirectoryBrowserSupport.java code of the affected software allows access to the filesystem outside the workspace to extend beyond the execution of a build on an affected agent. A remote attacker with the ability to control build output to browse the filesystem on agents running builds beyond the duration of the build using the workspace browser can access sensitive file information.
Remediation
The vulnerability has been fixed in the versions 2.154, 2.138.4, and 2.150.1.