8.8

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-1000146

GHSA ID

GHSA-3hvc-xwjp-xr8m

EPSS Score

0.47286%

CWE

Published

5/13/2022

Updated

12/15/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-1000146

CVE-2018-1000146:
Liquibase Runner Plugin allows users to load arbitrary Java code into controller JVM

An arbitrary code execution vulnerability exists in Liquibase Runner Plugin version 1.3.0 and older that allows an attacker with permission to configure jobs to load and execute arbitrary code on the Jenkins master JVM.

(GitHub Advisory)

8.8

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-1000146

GHSA ID

GHSA-3hvc-xwjp-xr8m

EPSS Score

0.47286%

CWE

Published

5/13/2022

Updated

12/15/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:liquibase-runner	maven	< 1.4.3	1.4.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from two key issues: 1) The classloader creation (Util.createClassLoader) accepted user-controlled paths, allowing loading of arbitrary classes. 2) Driver classname configuration (via PropertiesAssembler) permitted execution of arbitrary static initializers. Commit 1817af0 shows classloader refactoring to prevent workspace-relative paths, while 382a1ea removed driver classname customization - both indicating these were the attack vectors. The high severity CVE-2018-1000146 directly maps to these insecure class loading mechanisms.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n *r*itr*ry *o** *x**ution vuln*r**ility *xists in Liqui**s* Runn*r Plu*in v*rsion *.*.* *n* ol**r t**t *llows *n *tt**k*r wit* p*rmission to *on*i*ur* jo*s to lo** *n* *x**ut* *r*itr*ry *o** on t** J*nkins m*st*r JVM.

Reasoning

T** vuln*r**ility st*mm** *rom two k*y issu*s: *) T** *l*sslo***r *r**tion (`Util.*r**t**l*ssLo***r`) ****pt** us*r-*ontroll** p*t*s, *llowin* lo**in* o* *r*itr*ry *l*ss*s. *) *riv*r *l*ssn*m* *on*i*ur*tion (vi* `Prop*rti*s*ss*m*l*r`) p*rmitt** *x**u

8.8

Basic Information

Concerned about an active attack path?

CVE-2018-1000146: Liquibase Runner Plugin allows users to load arbitrary Java code into controller JVM

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2018-1000146:
Liquibase Runner Plugin allows users to load arbitrary Java code into controller JVM

Vulnerability Intelligence
Miggo AI