CVE-2016-0792
HIGH8.8EPSS 90.6%Jenkins allows Deserialization of Untrusted Data via an XML File
發布日:2022/5/14修改日:2025/3/13
描述
Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.
受影響套件(1)
- Maven/org.jenkins-ci.main:jenkins-core>= 1.643, < 1.650
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
參考連結(9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2016-0792
- PATCHhttps://github.com/jenkinsci/jenkins
- WEBhttp://rhn.redhat.com/errata/RHSA-2016-1773.html
- WEBhttps://access.redhat.com/errata/RHSA-2016:0711
- WEBhttps://github.com/jenkinsci/jenkins/commit/7f202f0317e60cd3160f61467b8558f864f83f41
- WEBhttps://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24
- WEBhttps://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream
- WEBhttps://www.exploit-db.com/exploits/42394
- WEBhttps://www.exploit-db.com/exploits/43375