Miggo Logo

CVE-2018-1000146: Liquibase Runner Plugin allows users to load arbitrary Java code into controller JVM

8.8

CVSS Score
3.0

Basic Information

EPSS Score
0.47286%
CWE
-
Published
5/13/2022
Updated
12/15/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:liquibase-runnermaven< 1.4.31.4.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from two key issues: 1) The classloader creation (Util.createClassLoader) accepted user-controlled paths, allowing loading of arbitrary classes. 2) Driver classname configuration (via PropertiesAssembler) permitted execution of arbitrary static initializers. Commit 1817af0 shows classloader refactoring to prevent workspace-relative paths, while 382a1ea removed driver classname customization - both indicating these were the attack vectors. The high severity CVE-2018-1000146 directly maps to these insecure class loading mechanisms.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n *r*itr*ry *o** *x**ution vuln*r**ility *xists in Liqui**s* Runn*r Plu*in v*rsion *.*.* *n* ol**r t**t *llows *n *tt**k*r wit* p*rmission to *on*i*ur* jo*s to lo** *n* *x**ut* *r*itr*ry *o** on t** J*nkins m*st*r JVM.

Reasoning

T** vuln*r**ility st*mm** *rom two k*y issu*s: *) T** *l*sslo***r *r**tion (`Util.*r**t**l*ssLo***r`) ****pt** us*r-*ontroll** p*t*s, *llowin* lo**in* o* *r*itr*ry *l*ss*s. *) *riv*r *l*ssn*m* *on*i*ur*tion (vi* `Prop*rti*s*ss*m*l*r`) p*rmitt** *x**u