Jenkins groovy.util.Expando Java deserialization vulnerability

Added: 08/15/2017
CVE: CVE-2016-0792
BID: 83720

Background

Jenkins is a standalone, open-source automation server written in Java.

Problem

A deserialization vulnerability in the groovy.util.Expando class allows a remote attacker to execute arbitrary commands by requesting createItem with specially crafted XML.

Resolution

Upgrade to Jenkins 1.642.2 or 1.650 or higher.

References

https://jenkins.io/security/advisory/2016-02-24/

Limitations

Exploit works on Jenkins prior to 1.650 and Jenkins LTS prior to 1.642.2 on Debian.

Platforms

Linux

Back to exploit index