Allele Security Alert
ASA-2018-00086
Identifier(s)
ASA-2018-00086, CVE-2018-1000861, SECURITY-595
Title
Code execution through crafted URLs
Vendor(s)
Jenkins project
Product(s)
Jenkins (core)
Affected version(s)
Jenkins 2.153
Jenkins 2.138.3
Fixed version(s)
Jenkins 2.154
Jenkins LTS 2.138.4 or 2.150.1
Proof of concept
Unknown
Description
Jenkins uses the Stapler web framework for HTTP request handling. Stapler’s basic premise is that it uses reflective access to code elements matching its naming conventions. For example, any public method whose name starts with get, and that has a String, int, long, or no argument can be invoked this way on objects that are reachable through these means. As these naming conventions closely match common code patterns in Java, accessing crafted URLs could invoke methods never intended to be invoked this way.
Technical details
Unknown
Credits
Daniel Beck (CloudBees, Inc), Jesse Glick (CloudBees Inc), Wadeck Follonier (CloudBees, Inc), Apple Information Security, Evan Grant (Tenable) and Orange Tsai (DEVCORE)
Reference(s)
Jenkins Security Advisory 2018-12-05
https://jenkins.io/security/advisory/2018-12-05/
CloudBees Security Advisory 2018-12-05
https://www.cloudbees.com/cloudbees-security-advisory-2018-12-05
[SECURITY-595] Further whitelist additions
https://github.com/jenkinsci/jenkins/commit/76e0e69e91b85dd72f8fac53d547dcdc4ff1d90c
[SECURITY-595]
https://github.com/jenkinsci/jenkins/commit/47f38d714c99e1841fb737ad1005618eb26ed852
CVE-2018-1000861
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000861
CVE-2018-1000861
https://nvd.nist.gov/vuln/detail/CVE-2018-1000861
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: March 6, 2019