Bug 1656865 (CVE-2018-1000861) - CVE-2018-1000861 jenkins: code execution through crafted URLs (SECURITY-595)
Summary: CVE-2018-1000861 jenkins: code execution through crafted URLs (SECURITY-595)
Alias: CVE-2018-1000861
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1656866 1657084 1657085 1657086 1657087 1657088 1657089 1657090 1657091 1657092 1657093
Blocks: 1656867
TreeView+ depends on / blocked
Reported: 2018-12-06 14:33 UTC by Laura Pardo
Modified: 2022-04-27 04:39 UTC (History)
22 users (show)

Fixed In Version: jenkins 2.154, Jenkins LTS 2.138.4, Jenkins LTS 2.150.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2021-10-27 03:20:10 UTC

Attachments (Terms of Use)

Description Laura Pardo 2018-12-06 14:33:06 UTC
A flaw was found in the way Jenkins uses the Stapler web framework for HTTP request handling. Stapler’s basic premise is that it uses reflective access to code elements matching its naming conventions. As these naming conventions closely match common code patterns in Java, accessing crafted URLs could invoke methods never intended to be invoked this way.


Comment 1 Laura Pardo 2018-12-06 14:33:33 UTC
Created jenkins tracking bugs for this issue:

Affects: fedora-all [bug 1656866]

Comment 4 Jason Shepherd 2018-12-07 06:53:24 UTC
From upstream advisory:
As of publication of this advisory, we are aware of the following potential attacks in the latest Jenkins releases that do not yet contain this fix:

Unauthenticated users can invalidate all sessions
Users with Overall/Read permission could create new user objects in memory.
Users with Overall/Read access could manually kick off otherwise periodically executed runs of implementations of AsyncPeriodicWork.

Given the vast potential attack surface, we fully expect other attacks, that we are not currently aware of, to be possible on Jenkins releases that do not have this fix applied. This is reflected in the high score we assigned to this issue, rather than limiting the score to the impact through known issues.

Comment 5 Jason Shepherd 2018-12-07 06:53:39 UTC

This vulnerability is only exploitable by a user with developer permissions. Therefore this vulnerability is rated Important for OpenShift Container Platform 3.x.

Comment 6 Gabe Montero 2018-12-07 15:12:41 UTC
PR https://github.com/openshift/jenkins/pull/749 created for 3.11

Comment 7 Gabe Montero 2018-12-10 04:38:07 UTC
The PR I mentioned has merged, updating our centos image.

Job https://buildvm.openshift.eng.bos.redhat.com:8443/job/devex/job/devex%252Fjenkins-bump-version/27/ updated
the RPM used in the 3.11 z stream to point to 2.138.4

Note You need to log in before you can comment on or make changes to this bug.