Description

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.

Remediation

References

https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24

https://access.redhat.com/errata/RHSA-2016:0711

https://www.exploit-db.com/exploits/42394/

https://www.exploit-db.com/exploits/43375/

http://rhn.redhat.com/errata/RHSA-2016-1773.html

Related Vulnerabilities

CVE-2020-36185 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

CVE-2021-46877 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

CVE-2020-28469 Vulnerability in npm package glob-parent

CVE-2023-34617 Vulnerability in maven package com.owlike:genson

CVE-2020-8237 Vulnerability in maven package org.webjars.bower:json-bigint

Severity

Critical

Classification

CWE-20 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Patch Vendor Advisory