Jenkins allows Deserialization of Untrusted Data via an XML File

GHSA-45rg-g72w-r393 · CVE-2016-0792

Published May 14, 2022 · Modified Mar 13, 2025

Description

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2016-0792
WEB https://github.com/jenkinsci/jenkins/commit/7f202f0317e60cd3160f61467b8558f864f83f41
WEB https://access.redhat.com/errata/RHSA-2016:0711
PACKAGE https://github.com/jenkinsci/jenkins
WEB https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24
WEB https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream
WEB https://www.exploit-db.com/exploits/42394
WEB https://www.exploit-db.com/exploits/43375
WEB http://rhn.redhat.com/errata/RHSA-2016-1773.html

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes