Vulnerability Description
A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jenkins | Jenkins | <= 2.121.1 |
| Oracle | Communications Cloud Native Core Automated Test Suite | 1.9.0 |
References
- https://jenkins.io/security/advisory/2018-07-18/#SECURITY-914MitigationVendor Advisory
- https://www.exploit-db.com/exploits/46453/ExploitThird Party AdvisoryVDB Entry
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
- https://jenkins.io/security/advisory/2018-07-18/#SECURITY-914MitigationVendor Advisory
- https://www.exploit-db.com/exploits/46453/ExploitThird Party AdvisoryVDB Entry
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
FAQ
What is CVE-2018-1999002?
CVE-2018-1999002 is a vulnerability with a CVSS score of 7.5 (HIGH). A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP ...
How severe is CVE-2018-1999002?
CVE-2018-1999002 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-1999002?
Check the references section above for vendor advisories and patch information. Affected products include: Jenkins Jenkins, Oracle Communications Cloud Native Core Automated Test Suite.