CVE-2015-8103

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:redhat:openshift_container_platform:2.2:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:3.1:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*
cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*

History

09 Jan 2024, 02:16

Type Values Removed Values Added
CWE CWE-77 CWE-502
CPE cpe:2.3:a:redhat:openshift:2.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:3.1:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:2.2:*:*:*:*:*:*:*
First Time Redhat openshift Container Platform
References (BID) http://www.securityfocus.com/bid/77636 - (BID) http://www.securityfocus.com/bid/77636 - Broken Link
References (MLIST) http://www.openwall.com/lists/oss-security/2015/11/18/13 - (MLIST) http://www.openwall.com/lists/oss-security/2015/11/18/13 - Mailing List
References (MISC) http://packetstormsecurity.com/files/134805/Jenkins-CLI-RMI-Java-Deserialization.html - (MISC) http://packetstormsecurity.com/files/134805/Jenkins-CLI-RMI-Java-Deserialization.html - Exploit, Third Party Advisory, VDB Entry
References (MLIST) http://www.openwall.com/lists/oss-security/2015/11/18/2 - (MLIST) http://www.openwall.com/lists/oss-security/2015/11/18/2 - Mailing List
References (REDHAT) https://access.redhat.com/errata/RHSA-2016:0070 - (REDHAT) https://access.redhat.com/errata/RHSA-2016:0070 - Third Party Advisory
References (MLIST) http://www.openwall.com/lists/oss-security/2015/11/09/5 - (MLIST) http://www.openwall.com/lists/oss-security/2015/11/09/5 - Mailing List
References (REDHAT) http://rhn.redhat.com/errata/RHSA-2016-0489.html - (REDHAT) http://rhn.redhat.com/errata/RHSA-2016-0489.html - Third Party Advisory
References (MLIST) http://www.openwall.com/lists/oss-security/2015/11/18/11 - (MLIST) http://www.openwall.com/lists/oss-security/2015/11/18/11 - Mailing List
References (CONFIRM) https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli - (CONFIRM) https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli - Exploit
References (EXPLOIT-DB) https://www.exploit-db.com/exploits/38983/ - (EXPLOIT-DB) https://www.exploit-db.com/exploits/38983/ - Exploit, Third Party Advisory, VDB Entry
CVSS v2 : 7.5
v3 : unknown
v2 : 7.5
v3 : 9.8

Information

Published : 2015-11-25 20:59

Updated : 2024-02-28 15:21


NVD link : CVE-2015-8103

Mitre link : CVE-2015-8103

CVE.ORG link : CVE-2015-8103


JSON object : View

Products Affected

redhat

  • openshift_container_platform

jenkins

  • jenkins
CWE
CWE-502

Deserialization of Untrusted Data