PT-2018-3808 · Cloudbees+1 · Jenkins
Daniel Beck
+4
·
Published
2018-12-05
·
Updated
2025-11-05
·
CVE-2018-1000861
CVSS v2.0
10
Critical
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Jenkins versions 2.153 and earlier
Jenkins LTS versions 2.138.3 and earlier
Description
A code execution issue exists in the Stapler web framework used by Jenkins, specifically in the
MetaClass.java file, allowing attackers to invoke certain methods on Java objects by accessing crafted URLs. This is related to the deserialization of untrusted data, which can be exploited by a remote attacker to execute arbitrary code.Recommendations
For Jenkins versions 2.153 and earlier, update to a version that includes the fix for the deserialization vulnerability.
For Jenkins LTS versions 2.138.3 and earlier, update to a version that includes the fix for the deserialization vulnerability.
As a temporary workaround, consider restricting access to the
MetaClass.java component in the Stapler web framework to minimize the risk of exploitation.Exploit
Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins