Description
Jenkins DotCi Plugin 2.40.00 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
Remediation
References
https://www.jenkins.io/security/advisory/2022-09-21/#SECURITY-1737
Related Vulnerabilities
CVE-2023-37960 Vulnerability in maven package io.jenkins.plugins:mathworks-polyspace
CVE-2011-4838 Vulnerability in maven package org.jruby:jruby-stdlib
CVE-2020-6459 Vulnerability in maven package org.webjars.npm:electron
CVE-2016-3674 Vulnerability in maven package com.thoughtworks.xstream:xstream
CVE-2019-10398 Vulnerability in maven package org.jenkins-ci.plugins:beaker-builder