Allele Security Alert
ASA-2018-00086, CVE-2018-1000861, SECURITY-595
Code execution through crafted URLs
Jenkins LTS 2.138.4 or 2.150.1
Proof of concept
Jenkins uses the Stapler web framework for HTTP request handling. Stapler’s basic premise is that it uses reflective access to code elements matching its naming conventions. For example, any public method whose name starts with get, and that has a String, int, long, or no argument can be invoked this way on objects that are reachable through these means. As these naming conventions closely match common code patterns in Java, accessing crafted URLs could invoke methods never intended to be invoked this way.
Daniel Beck (CloudBees, Inc), Jesse Glick (CloudBees Inc), Wadeck Follonier (CloudBees, Inc), Apple Information Security, Evan Grant (Tenable) and Orange Tsai (DEVCORE)
Jenkins Security Advisory 2018-12-05
CloudBees Security Advisory 2018-12-05
[SECURITY-595] Further whitelist additions
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: March 6, 2019