.. / CVE-2018-1000861

Exploit for Jenkins - Remote Command Injection (CVE-2018-1000861)

Description:

Jenkins 2.153 and earlier and LTS 2.138.3 and earlier are susceptible to a remote command injection via stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way.

Nuclei Template

View the template here CVE-2018-1000861.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2018/CVE-2018-1000861.yaml

References:

https://nvd.nist.gov/vuln/detail/CVE-2018-1000861
https://github.com/vulhub/vulhub/tree/master/jenkins/CVE-2018-1000861
https://jenkins.io/security/advisory/2018-12-05/#SECURITY-595
https://access.redhat.com/errata/RHBA-2019:0024
http://packetstormsecurity.com/files/166778/Jenkins-Remote-Code-Execution.html

.. / CVE-2018-1000861 if(localStorage["style"]=="true"){ document.getElementById('pagestyle').setAttribute('href','/assets/styleDark.css'); document.querySelector('input[type="checkbox"]').checked = true }

Exploit for Jenkins - Remote Command Injection (CVE-2018-1000861)

Description:

Nuclei Template

Validate with Nuclei

.. / CVE-2018-1000861