Srikanth Ramu

**Name of the Vulnerable Software and Affected Versions** Spring Batch (affected versions not specified) **Description** The issue concerns a deserialization vulnerability in Jackson that could lead to arbitrary code execution when default typing is enabled. This vulnerability can be exploited in Spring Batch if its Jackson support is used to serialize a job's ExecutionContext and a malicious user gains write access to the data store used by the JobRepository. The vulnerability is mitigated by Jackson's blacklisting of known "deserialization gadgets". However, to protect against unknown gadgets, proactive measures should be taken when enabling default typing. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Yaml Axis Plugin versions 0.2.0 and earlier **Description** The issue results from the YAML parser not being configured to prevent the instantiation of arbitrary types, leading to a remote code execution vulnerability. This vulnerability is exploitable by users who can configure a multi-configuration job or control the contents of a previously configured job's SCM repository. **Recommendations** For Jenkins Yaml Axis Plugin versions 0.2.0 and earlier, update to version 0.2.1 or later, which configures its YAML parser to only instantiate safe types.