Description
Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.
Remediation
References
http://rhn.redhat.com/errata/RHSA-2016-1773.html
https://access.redhat.com/errata/RHSA-2016:0711
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24
https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream
https://www.exploit-db.com/exploits/42394/
https://www.exploit-db.com/exploits/43375/
Related Vulnerabilities
CVE-2019-18213 Vulnerability in maven package org.lsp4xml:lsp4xml-extensions
CVE-2021-43785 Vulnerability in npm package @joeattardi/emoji-button
CVE-2023-46998 Vulnerability in maven package org.webjars.bower:bootbox
CVE-2023-38700 Vulnerability in npm package matrix-appservice-irc
CVE-2017-18214 Vulnerability in maven package org.webjars.npm:moment