The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".
References
Configurations
History
09 Jan 2024, 02:16
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-502 | |
CPE | cpe:2.3:a:redhat:openshift:*:*:*:*:enterprise:*:*:* |
cpe:2.3:a:redhat:openshift_container_platform:3.1:*:*:*:*:*:*:* cpe:2.3:a:redhat:openshift_container_platform:2.2:*:*:*:*:*:*:* |
First Time |
Redhat openshift Container Platform
|
|
References | (BID) http://www.securityfocus.com/bid/77636 - Broken Link | |
References | (MLIST) http://www.openwall.com/lists/oss-security/2015/11/18/13 - Mailing List | |
References | (MISC) http://packetstormsecurity.com/files/134805/Jenkins-CLI-RMI-Java-Deserialization.html - Exploit, Third Party Advisory, VDB Entry | |
References | (MLIST) http://www.openwall.com/lists/oss-security/2015/11/18/2 - Mailing List | |
References | (REDHAT) https://access.redhat.com/errata/RHSA-2016:0070 - Third Party Advisory | |
References | (MLIST) http://www.openwall.com/lists/oss-security/2015/11/09/5 - Mailing List | |
References | (REDHAT) http://rhn.redhat.com/errata/RHSA-2016-0489.html - Third Party Advisory | |
References | (MLIST) http://www.openwall.com/lists/oss-security/2015/11/18/11 - Mailing List | |
References | (CONFIRM) https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli - Exploit | |
References | (EXPLOIT-DB) https://www.exploit-db.com/exploits/38983/ - Exploit, Third Party Advisory, VDB Entry | |
CVSS |
v2 : v3 : |
v2 : 7.5
v3 : 9.8 |
Information
Published : 2015-11-25 20:59
Updated : 2024-02-28 15:21
NVD link : CVE-2015-8103
Mitre link : CVE-2015-8103
CVE.ORG link : CVE-2015-8103
JSON object : View
Products Affected
redhat
- openshift_container_platform
jenkins
- jenkins
CWE
CWE-502
Deserialization of Untrusted Data