Jenkins groovy.util.Expando Java deserialization vulnerability
Added: 08/15/2017CVE: CVE-2016-0792
BID: 83720
Background
Jenkins is a standalone, open-source automation server written in Java.Problem
A deserialization vulnerability in the groovy.util.Expando class allows a remote attacker to execute arbitrary commands by requesting createItem with specially crafted XML.Resolution
Upgrade to Jenkins 1.642.2 or 1.650 or higher.References
https://jenkins.io/security/advisory/2016-02-24/Limitations
Exploit works on Jenkins prior to 1.650 and Jenkins LTS prior to 1.642.2 on Debian.Platforms
LinuxBack to exploit index