oss-sec mailing list archives
Vulnerability in Jenkins
From: Daniel Beck <ml () beckweb net>
Date: Wed, 9 Feb 2022 14:12:46 +0100
Jenkins is an open source automation server which enables developers around the world to reliably build, test, and deploy their software. The following releases contain fixes for security vulnerabilities: * Jenkins 2.334 * Jenkins LTS 2.319.3 Summaries of the vulnerabilities are below. More details, severity, and attribution can be found here: https://www.jenkins.io/security/advisory/2022-02-09/ We provide advance notification for security updates on this mailing list: https://groups.google.com/d/forum/jenkinsci-advisories If you discover security vulnerabilities in Jenkins, please report them as described here: https://www.jenkins.io/security/#reporting-vulnerabilities --- SECURITY-2602 / CVE-2021-43859 (upstream) & CVE-2022-0538 (Jenkins) Jenkins 2.333 and earlier, LTS 2.319.2 and earlier is affected by the XStream library's vulnerability CVE-2021-43859. This library is used by Jenkins to serialize and deserialize various XML files, like global and job `config.xml`, `build.xml`, and numerous others. This allows attackers able to submit crafted XML files to Jenkins to be parsed as configuration, e.g. through the `POST config.xml` API, to cause a denial of service (DoS).
Current thread:
- Vulnerability in Jenkins Daniel Beck (Feb 09)