oss-sec mailing list archives
Re: CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization
From: cve-assign () mitre org
Date: Wed, 18 Nov 2015 06:17:56 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
We updated neither commons-collections nor Groovy, the fix for both is specific to Jenkins, in the same component, and was part of the same release of Jenkins. Does this mean the one CVE ID covers both?
Yes, CVE-2015-8103 applies to all of SECURITY-218 as listed at https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11 and therefore is associated with both the http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#jenkins attack and the https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/Groovy1.java attack. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWTF4CAAoJEL54rhJi8gl5dycP/00lDmDND0eZpQYN3GRcTPY4 VKnMZnH//Zovw5gVSlZNDEAkpm4o8OlN9K5nOE0GG2XQsfk/haR67fG11KTjbOIq HKDCYuborQicwSsLlxsfsMFgEdodMOs1+L4WQ/EJ7UYnTfEf1iG0zp150lfSNKxL Zv+JPIvg6tJdUeYCUVOEgcSjr/0bLqJ7slZNEL+PVVV7eFPnwi0GfwdylblhR+mB 7ialUTNBKf5nZhYXI5LjkBC5EHiuxzmTRiD182VpwoXbVdrQaX4HVTLFnNdvWnCz BcFMUB11d+8d+bGKj6r7mZPADHJeWr3KcxGVs0jlBVUuTmBA186MIy0zdK7eIKxM QjUIsd5puBGAwvdlonnyilp3nxqQAV2j0RFgU5g9UnCWcOmOyU3+xX/gSqap/oRE Vi/zqTsPkQwM1QumQ9gzmm+Cx5YYS+q3rLb5J8Og02i0I2TRtmHizWT+PBRk0I3t 0v43OHrktKtu+v8MS005gKTWrac2+1x2gPWydooNw3zVVqfPjCsXLd69bGFmW9HX qpBZRX+me9r2ac5dHK0HuVnR9mNi1IZ0tutcsFkhjWHDHx2pUBxqWM+KnNHfPcux QQrWFrfb8tu57rh/l02zsV6ah5sjnaz0qttsUSisMpUoAnUGQO1D8q0GSeJdm8mc RFJV9K/Hf0Fh2i1Giz+A =9Gr6 -----END PGP SIGNATURE-----
Current thread:
- CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization Daniel Beck (Nov 09)
- Re: CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization cve-assign (Nov 17)
- Re: Re: CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization Daniel Beck (Nov 18)
- Re: CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization cve-assign (Nov 18)
- Re: Re: CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization Moritz Bechler (Nov 18)
- Re: Re: CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization Daniel Beck (Nov 18)
- Re: CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization cve-assign (Nov 17)