Is there an existing template for this?
Template requests
Description:
Jenkins versions 2.56 and earlier, as well as 2.46.1 LTS and earlier, are vulnerable to an unauthenticated remote code execution. The vulnerability arises from attackers being able to transfer a serialized Java SignedObject object to the Jenkins CLI, which is then deserialized using a new ObjectInputStream. This deserialization bypasses the existing blacklist-based protection mechanism. To address this, SignedObject has been added to the blacklist. Further, the new HTTP CLI protocol from Jenkins 2.54 has been backported to LTS 2.46.2, and the remoting-based (Java serialization) CLI protocol has been deprecated and disabled by default.
Severity:
Critical (CVSS: 9.8, Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
EPSS:
- Score: 0.97201
- Percentile: 0.99862
PoCs:
Weaknesses:
- CWE-502: Deserialization of Untrusted Data
Vulnerable CPE:
- cpe:2.3:a:jenkins:jenkins::::::::
- cpe:2.3:a:jenkins:jenkins:::::lts:::*
- cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.9.0:::::::*
OSS:
- No OSS information available
Anything else?
No response
Is there an existing template for this?
Template requests
Description:
Jenkins versions 2.56 and earlier, as well as 2.46.1 LTS and earlier, are vulnerable to an unauthenticated remote code execution. The vulnerability arises from attackers being able to transfer a serialized Java SignedObject object to the Jenkins CLI, which is then deserialized using a new ObjectInputStream. This deserialization bypasses the existing blacklist-based protection mechanism. To address this, SignedObject has been added to the blacklist. Further, the new HTTP CLI protocol from Jenkins 2.54 has been backported to LTS 2.46.2, and the remoting-based (Java serialization) CLI protocol has been deprecated and disabled by default.
Severity:
Critical (CVSS: 9.8, Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
EPSS:
PoCs:
Weaknesses:
Vulnerable CPE:
OSS:
Anything else?
No response