CRITICAL🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2018-1000861

CVSS 9.8v3.1pub. 2018-12-10upd. 2025-11-05

A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Jenkins

    APP
    Jenkins
    ≤ 2.138.3≤ 2.153
  • Red Hat OpenShift Container Platform

    APP
    Redhat
    3.11

CISA KEV — detailsi

Vendori
Jenkins
Producti
Jenkins Stapler Web Framework
Added to KEVi
February 10, 2022
Remediation deadline (US Federal)i
August 10, 2022(overdue)
Required action (CISA)i

Apply updates per vendor instructions.

CISA descriptioni

A code execution vulnerability exists in the Stapler web framework used by Jenkins

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 10 sierpnia 2022
Tags
RCECI/CDDeserialization
CWE
References

Related vulnerabilities

CVE-2024-23897CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Jenkins CLI – odczyt dowolnych plików przez path traversal bez uwierzytelnienia

CVE-2019-7609CRITICAL10.0⚠ KEVten sam produkt

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. A...

CVE-2019-1003030CRITICAL9.9⚠ KEVten sam produkt

A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main...

CVE-2019-1003029CRITICAL9.9⚠ KEVten sam produkt

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/...

CVE-2017-1000353CRITICAL9.8⚠ KEVten sam produkt

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remot...