#VU16575 Improper input validation in Jenkins - CVE-2018-1000861
Published: December 18, 2018 / Updated: September 13, 2023
Vulnerability identifier: #VU16575
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber
CVE-ID: CVE-2018-1000861
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vulnerable software:
Jenkins
Jenkins
Software vendor:
Jenkins
Jenkins
Description
The vulnerability allows a remote unauthenticated attacker to execute arbitrary code on the target system.
The vulnerability exists due to due to improper handling of HTTP requests by the stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java code of the Stapler web framework used by the affected software. A remote attacker can trick the victim into accessing a specially crafted link that submits malicious input, invoke certain methods that are not intended to be invoked, which the attacker can use to execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Remediation
The vulnerability has been fixed in the versions 2.154, 2.138.4, and 2.150.1.