Christopher Frohoff

**Name of the Vulnerable Software and Affected Versions** Jenkins versions prior to 1.638 Jenkins LTS versions prior to 1.625.2 **Description** The issue allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic `webapps/ROOT/WEB-INF/lib/commons-collections-*.jar` file and the "Groovy variant in `ysoserial`". **Recommendations** For Jenkins versions prior to 1.638, update to version 1.638 or later. For Jenkins LTS versions prior to 1.625.2, update to version 1.625.2 or later. As a temporary workaround, consider restricting access to the Jenkins CLI subsystem until a patch is available.