Description
Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.
Remediation
References
http://rhn.redhat.com/errata/RHSA-2016-1773.html
https://access.redhat.com/errata/RHSA-2016:0711
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24
https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream
https://www.exploit-db.com/exploits/42394/
https://www.exploit-db.com/exploits/43375/
Related Vulnerabilities
CVE-2014-0230 Vulnerability in maven package org.apache.tomcat:tomcat-catalina
CVE-2023-36542 Vulnerability in maven package org.apache.nifi:nifi-hikari-dbcp-service
CVE-2021-23337 Vulnerability in maven package org.webjars:lodash
CVE-2021-41411 Vulnerability in maven package org.drools:drools-core
CVE-2023-39151 Vulnerability in maven package org.jenkins-ci.main:jenkins-core