PT-2015-7730 · Cloudbees+2 · Jenkins+1

Christopher Frohoff

Publicado

2015-11-25

Atualizado

2024-01-09

CVE-2015-8103

CVSS v3.1

9.8

Crítica

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Jenkins versions prior to 1.638 Jenkins LTS versions prior to 1.625.2

Description The issue allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in ysoserial".

Recommendations For Jenkins versions prior to 1.638, update to version 1.638 or later. For Jenkins LTS versions prior to 1.625.2, update to version 1.625.2 or later. As a temporary workaround, consider restricting access to the Jenkins CLI subsystem until a patch is available.

Exploit

Correção

RCE

Deserialization of Untrusted Data

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-502

Identificadores relacionados

CVE-2015-8103

GHSA-WFW7-6632-XCV2

MGASA-2016-0137

RHSA-2016:0070

RHSA-2016:0489

Produtos afetados

Jenkins

Commons-Collections

PT-2015-7730 · Cloudbees+2 · Jenkins+1

CVE-2015-8103

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 26