A path traversal vulnerability exists in the Stapler web framework used by Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/org/kohsuke/stapler/Facet.java, groovy/src/main/java/org/kohsuke/stapler/jelly/groovy/GroovyFacet.java, jelly/src/main/java/org/kohsuke/stapler/jelly/JellyFacet.java, jruby/src/main/java/org/kohsuke/stapler/jelly/jruby/JRubyFacet.java, jsp/src/main/java/org/kohsuke/stapler/jsp/JSPFacet.java that allows attackers to render routable objects using any view in Jenkins, exposing internal information about those objects not intended to be viewed, such as their toString() representation.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2019-01-23T22:00:00Z
Updated: 2024-09-17T01:26:09.373Z
Reserved: 2019-01-23T00:00:00Z
Link: CVE-2018-1000997
Vulnrichment
No data.
NVD
Status : Modified
Published: 2019-01-23T22:29:00.337
Modified: 2024-11-21T03:40:36.673
Link: CVE-2018-1000997
Redhat