Description

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects once discarded by an administrator.

Remediation

References

https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1923

Related Vulnerabilities

CVE-2019-10440 Vulnerability in maven package org.jenkins-ci.plugins:neoload-jenkins-plugin

CVE-2011-4838 Vulnerability in maven package org.jruby:jruby-stdlib

CVE-2023-42277 Vulnerability in maven package cn.hutool:hutool-core

CVE-2022-42252 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

CVE-2017-1000388 Vulnerability in maven package org.jenkins-ci.plugins:depgraph-view

Severity

Critical

Classification

CWE-502 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Tags

Vendor Advisory