CVE-2018-1000862: Infoleak
First published: Mon Dec 10 2018(Updated: )
An information exposure vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in DirectoryBrowserSupport.java that allows attackers with the ability to control build output to browse the file system on agents running builds beyond the duration of the build using the workspace browser.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.jenkins-ci.main:jenkins-core | >=2.140<=2.153 | 2.154 |
| maven/org.jenkins-ci.main:jenkins-core | <=2.138.3 | 2.138.4 |
| Jenkins Jenkins | <=2.138.3 | |
| Jenkins Jenkins | <=2.153 | |
| Red Hat OpenShift Container Platform | =3.11 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.securityfocus.com/bid/106176
- https://access.redhat.com/errata/RHBA-2019:0024
- https://jenkins.io/security/advisory/2018-12-05/#SECURITY-904
- https://nvd.nist.gov/vuln/detail/CVE-2018-1000862
- https://github.com/jenkinsci/jenkins/commit/c19cc705688cfffa4fe735e0edbe84862b6c135f
- https://github.com/advisories/GHSA-hph9-9vcq-f7gp (Advisory)
- collector/github-advisory-latest
- alias/GHSA-hph9-9vcq-f7gp
- alias/CVE-2018-1000862
- collector/github-advisory
- agent/author
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/references
- agent/weakness
- agent/description
- agent/first-publish-date
- agent/event
- agent/trending
- collector/nvd-cve
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/softwarecombine
- agent/tags
- agent/source
- package-manager/maven
- vendor/jenkins
- canonical/jenkins jenkins
- version/jenkins jenkins/2.138.3
- version/jenkins jenkins/2.153
- vendor/redhat
- canonical/red hat openshift container platform
- version/red hat openshift container platform/3.11