cve/2018/CVE-2018-1000861.md

### [CVE-2018-1000861](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000861)
![](https://img.shields.io/static/v1?label=Product&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)

### Description

A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way.

### POC

#### Reference
- http://packetstormsecurity.com/files/166778/Jenkins-Remote-Code-Execution.html

#### Github
- https://github.com/0day404/vulnerability-poc
- https://github.com/0ps/pocassistdb
- https://github.com/0xT11/CVE-POC
- https://github.com/1NTheKut/CVE-2019-1003000_RCE-DETECTION
- https://github.com/20142995/pocsuite3
- https://github.com/7roublemaker/Jenkins_check
- https://github.com/ARPSyndicate/cvemon
- https://github.com/ARPSyndicate/kenzer-templates
- https://github.com/ArrestX/--POC
- https://github.com/BLACKHAT-SSG/Pwn_Jenkins
- https://github.com/CLincat/vulcat
- https://github.com/CnHack3r/Penetration_PoC
- https://github.com/DSO-Lab/pocscan
- https://github.com/EchoGin404/-
- https://github.com/EchoGin404/gongkaishouji
- https://github.com/Elsfa7-110/kenzer-templates
- https://github.com/FishyStix12/BH.py-CharCyCon2024
- https://github.com/KayCHENvip/vulnerability-poc
- https://github.com/MelanyRoob/Goby
- https://github.com/Miraitowa70/POC-Notes
- https://github.com/Mr-xn/Penetration_Testing_POC
- https://github.com/N0body007/jenkins-rce-2017-2018-2019
- https://github.com/Ostorlab/KEV
- https://github.com/Ostorlab/known_exploited_vulnerbilities_detectors
- https://github.com/PalindromeLabs/Java-Deserialization-CVEs
- https://github.com/PetrusViet/Jenkins-bypassSandBox-RCE
- https://github.com/PwnAwan/Pwn_Jenkins
- https://github.com/Rajchowdhury420/Secure-or-Break-Jenkins
- https://github.com/SexyBeast233/SecBooks
- https://github.com/TheBeastofwar/JenkinsExploit-GUI
- https://github.com/Threekiii/Awesome-POC
- https://github.com/Threekiii/Vulhub-Reproduce
- https://github.com/YIXINSHUWU/Penetration_Testing_POC
- https://github.com/Zompire/cc_talk_2021
- https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc
- https://github.com/alphaSeclab/sec-daily-2019
- https://github.com/bakery312/Vulhub-Reproduce
- https://github.com/cyberharsh/jenkins1000861
- https://github.com/d4n-sec/d4n-sec.github.io
- https://github.com/deadbits/yara-rules
- https://github.com/glithc/yara-detection
- https://github.com/gobysec/Goby
- https://github.com/gquere/pwn_jenkins
- https://github.com/hasee2018/Penetration_Testing_POC
- https://github.com/hktalent/bug-bounty
- https://github.com/huike007/penetration_poc
- https://github.com/huimzjty/vulwiki
- https://github.com/jiangsir404/POC-S
- https://github.com/jweny/pocassistdb
- https://github.com/koutto/jok3r-pocs
- https://github.com/langu-xyz/JavaVulnMap
- https://github.com/lions2012/Penetration_Testing_POC
- https://github.com/orangetw/awesome-jenkins-rce-2019
- https://github.com/password520/Penetration_PoC
- https://github.com/reph0r/poc-exp
- https://github.com/reph0r/poc-exp-tools
- https://github.com/retr0-13/Goby
- https://github.com/retr0-13/pwn_jenkins
- https://github.com/simran-sankhala/Pentest-Jenkins
- https://github.com/smokeintheshell/CVE-2018-1000861
- https://github.com/veo/vscan
- https://github.com/whoadmin/pocs
- https://github.com/winterwolf32/CVE-S---Penetration_Testing_POC-
- https://github.com/woodpecker-appstore/jenkins-vuldb
- https://github.com/woods-sega/woodswiki
- https://github.com/xuetusummer/Penetration_Testing_POC
- https://github.com/yedada-wei/-
- https://github.com/yedada-wei/gongkaishouji