oss-sec mailing list archives
CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization
From: Daniel Beck <ml () beckweb net>
Date: Mon, 9 Nov 2015 15:19:36 +0100
Hello, Please assign a CVE to this issue: Remote code execution vulnerability due to unsafe deserialization in Jenkins remoting Unsafe deserialization allows unauthenticated remote attackers to run arbitrary code on the Jenkins master. This is tracked as SECURITY-218 in the Jenkins project. All current Jenkins releases are affected. Public exploit: http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#jenkins Temporary workaround: https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli A related issue is being discussed here: http://www.openwall.com/lists/oss-security/2015/11/09/1 Jenkins is affected by both this and the Groovy variant in 'ysoserial'. We plan to release a fix for this as part of our planned security update on Wednesday. Thanks! -- Daniel Beck
Current thread:
- CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization Daniel Beck (Nov 09)