A path traversal vulnerability exists in the Stapler web framework used by Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/org/kohsuke/stapler/Facet.java, groovy/src/main/java/org/kohsuke/stapler/jelly/groovy/GroovyFacet.java, jelly/src/main/java/org/kohsuke/stapler/jelly/JellyFacet.java, jruby/src/main/java/org/kohsuke/stapler/jelly/jruby/JRubyFacet.java, jsp/src/main/java/org/kohsuke/stapler/jsp/JSPFacet.java that allows attackers to render routable objects using any view in Jenkins, exposing internal information about those objects not intended to be viewed, such as their toString() representation.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-01-23T22:00:00Z

Updated: 2024-09-17T01:26:09.373Z

Reserved: 2019-01-23T00:00:00Z

Link: CVE-2018-1000997

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2019-01-23T22:29:00.337

Modified: 2024-11-21T03:40:36.673

Link: CVE-2018-1000997

cve-icon Redhat

Severity : Moderate

Publid Date: 2018-10-10T00:00:00Z

Links: CVE-2018-1000997 - Bugzilla