CVE-2018-1000607 — Arbitrary file write vulnerability in Jenkins Fortify CloudScan Plugin

Description

A arbitrary file write vulnerability exists in Jenkins Fortify CloudScan Plugin 1.5.1 and earlier in ArchiveUtil.java that allows attackers able to control rulepack zip file contents to overwrite any file on the Jenkins master file system, only limited by the permissions of the user the Jenkins master process is running as.

How to fix CVE-2018-1000607

To remediate CVE-2018-1000607, upgrade the affected package to a fixed version below.

—upgrade to 1.5.2 or later

Is CVE-2018-1000607 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.5.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References (2)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-1000607
WEBjenkins.io/security/advisory/2018-06-25/#SECURITY-870