Description
Jenkins DotCi Plugin 2.40.00 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
Remediation
References
https://www.jenkins.io/security/advisory/2022-09-21/#SECURITY-1737
Related Vulnerabilities
CVE-2020-8897 Vulnerability in maven package com.amazonaws:aws-encryption-sdk-java
CVE-2023-6394 Vulnerability in maven package io.quarkus:quarkus-smallrye-graphql-client
CVE-2020-25633 Vulnerability in maven package org.jboss.resteasy:resteasy-client
CVE-2022-43431 Vulnerability in maven package com.compuware.jenkins:compuware-strobe-measurement
CVE-2022-34779 Vulnerability in maven package com.xebialabs.ci:xlrelease-plugin