CVE-2018-1000997

Опубликовано: 23 янв. 2019

Источник: nvd

CVSS3: 6.5

CVSS2: 4

EPSS Низкий

Описание

A path traversal vulnerability exists in the Stapler web framework used by Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/org/kohsuke/stapler/Facet.java, groovy/src/main/java/org/kohsuke/stapler/jelly/groovy/GroovyFacet.java, jelly/src/main/java/org/kohsuke/stapler/jelly/JellyFacet.java, jruby/src/main/java/org/kohsuke/stapler/jelly/jruby/JRubyFacet.java, jsp/src/main/java/org/kohsuke/stapler/jsp/JSPFacet.java that allows attackers to render routable objects using any view in Jenkins, exposing internal information about those objects not intended to be viewed, such as their toString() representation.

Ссылки

https://jenkins.io/security/advisory/2018-10-10/#SECURITY-867
Vendor Advisory
https://jenkins.io/security/advisory/2018-10-10/#SECURITY-867
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*

Версия до 2.138.1 (включая)

cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*

Версия до 2.145 (включая)

EPSS

Процентиль: 83%

0.01923

Низкий

6.5 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-22

Связанные уязвимости

CVE-2018-1000997

CVSS3: 6.5

redhat

больше 7 лет назад

CVE-2018-1000997

CVSS3: 6.5

debian

около 7 лет назад

A path traversal vulnerability exists in the Stapler web framework use ...

GHSA-5hfp-964w-5vgm

CVSS3: 6.5

github

больше 3 лет назад

Improper Limitation of a Pathname to a Restricted Directory in Jenkins

EPSS

Процентиль: 83%

0.01923

Низкий

6.5 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-22