PT-2018-7134 · Cloudbees+1 · Jenkins

Moritz Bechler

Published

2018-05-15

Updated

2022-05-13

CVE-2017-2608

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: Jenkins versions prior to 2.44 Jenkins versions prior to 2.32.2

Description: The issue involves a remote code execution vulnerability through the deserialization of various types in javax.imageio in XStream-based APIs.

Recommendations: For versions prior to 2.44, update to version 2.44 or later. For versions prior to 2.32.2, update to version 2.32.2 or later.

Fix

RCE

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

CVE-2017-2608

GHSA-FWQR-3PVP-PJWQ

Affected Products

Jenkins

PT-2018-7134 · Cloudbees+1 · Jenkins

CVE-2017-2608

Weakness Enumeration

Related Identifiers

Affected Products

References · 8