Cloudbees · Jenkins · CVE-2016-0792
**Name of the Vulnerable Software and Affected Versions**
Jenkins versions prior to 1.650
Jenkins LTS versions prior to 1.642.2
**Description**
The issue allows remote authenticated users to execute arbitrary code via serialized data in an XML file. This is related to XStream and the `groovy.util.Expando` class. Multiple unspecified API endpoints are affected.
**Recommendations**
For Jenkins versions prior to 1.650, update to version 1.650 or later.
For Jenkins LTS versions prior to 1.642.2, update to version 1.642.2 or later.
As a temporary workaround, consider restricting access to the affected API endpoints until a patch is available.