Jenkins Stapler < 2.138.4 LTS / 2.154 Remote Code Execution

critical Web App Scanning Plugin ID 113160

Language:

Synopsis

Jenkins Stapler < 2.138.4 LTS / 2.154 Remote Code Execution

Description

A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way.

Solution

Jenkins weekly should be updated to version 2.154 or later and Jenkins LTS should be updated to version either 2.138.4 or 2.150.1 or later

See Also

https://alibaba-cloud.medium.com/return-of-watchbog-exploiting-jenkins-cve-2018-1000861-d18fc9dca310

https://jenkins.io/security/advisory/2018-12-05/#SECURITY-595

Plugin Details

Severity: Critical

ID: 113160

Type: remote

Family: Component Vulnerability

Published: 2/24/2022

Updated: 2/24/2022

Scan Template: basic, full, pci, scan

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2018-1000861

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Score Source: CVE-2018-1000861

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

CISA Known Exploited Vulnerability Due Dates: 8/10/2022

Reference Information

CVE: CVE-2018-1000861

BID: 106176

CWE: 502

OWASP: 2010-A4, 2013-A4, 2013-A9, 2017-A8, 2017-A9, 2021-A6, 2021-A8

WASC: Improper Input Handling

CAPEC: 586

DISA STIG: APSC-DV-002560, APSC-DV-002630

HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.14.2.5

NIST: sp800_53-CM-6b, sp800_53-SI-10(5)

OWASP API: 2019-API7, 2019-API8, 2023-API8

OWASP ASVS: 4.0.2-14.2.1, 4.0.2-5.5.1

PCI-DSS: 3.2-6.2, 3.2-6.5.1