CVE-2015-8103

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".
References
Link Resource
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#jenkins Exploit
http://packetstormsecurity.com/files/134805/Jenkins-CLI-RMI-Java-Deserialization.html Exploit Third Party Advisory VDB Entry
http://rhn.redhat.com/errata/RHSA-2016-0489.html Third Party Advisory
http://www.openwall.com/lists/oss-security/2015/11/09/5 Mailing List
http://www.openwall.com/lists/oss-security/2015/11/18/11 Mailing List
http://www.openwall.com/lists/oss-security/2015/11/18/13 Mailing List
http://www.openwall.com/lists/oss-security/2015/11/18/2 Mailing List
http://www.securityfocus.com/bid/77636 Broken Link
https://access.redhat.com/errata/RHSA-2016:0070 Third Party Advisory
https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli Exploit
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11 Vendor Advisory
https://www.exploit-db.com/exploits/38983/ Exploit Third Party Advisory VDB Entry
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#jenkins Exploit
http://packetstormsecurity.com/files/134805/Jenkins-CLI-RMI-Java-Deserialization.html Exploit Third Party Advisory VDB Entry
http://rhn.redhat.com/errata/RHSA-2016-0489.html Third Party Advisory
http://www.openwall.com/lists/oss-security/2015/11/09/5 Mailing List
http://www.openwall.com/lists/oss-security/2015/11/18/11 Mailing List
http://www.openwall.com/lists/oss-security/2015/11/18/13 Mailing List
http://www.openwall.com/lists/oss-security/2015/11/18/2 Mailing List
http://www.securityfocus.com/bid/77636 Broken Link
https://access.redhat.com/errata/RHSA-2016:0070 Third Party Advisory
https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli Exploit
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11 Vendor Advisory
https://www.exploit-db.com/exploits/38983/ Exploit Third Party Advisory VDB Entry
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:redhat:openshift_container_platform:2.2:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:3.1:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*
cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*

History

21 Nov 2024, 02:38

Type Values Removed Values Added
References () http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#jenkins - Exploit () http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#jenkins - Exploit
References () http://packetstormsecurity.com/files/134805/Jenkins-CLI-RMI-Java-Deserialization.html - Exploit, Third Party Advisory, VDB Entry () http://packetstormsecurity.com/files/134805/Jenkins-CLI-RMI-Java-Deserialization.html - Exploit, Third Party Advisory, VDB Entry
References () http://rhn.redhat.com/errata/RHSA-2016-0489.html - Third Party Advisory () http://rhn.redhat.com/errata/RHSA-2016-0489.html - Third Party Advisory
References () http://www.openwall.com/lists/oss-security/2015/11/09/5 - Mailing List () http://www.openwall.com/lists/oss-security/2015/11/09/5 - Mailing List
References () http://www.openwall.com/lists/oss-security/2015/11/18/11 - Mailing List () http://www.openwall.com/lists/oss-security/2015/11/18/11 - Mailing List
References () http://www.openwall.com/lists/oss-security/2015/11/18/13 - Mailing List () http://www.openwall.com/lists/oss-security/2015/11/18/13 - Mailing List
References () http://www.openwall.com/lists/oss-security/2015/11/18/2 - Mailing List () http://www.openwall.com/lists/oss-security/2015/11/18/2 - Mailing List
References () http://www.securityfocus.com/bid/77636 - Broken Link () http://www.securityfocus.com/bid/77636 - Broken Link
References () https://access.redhat.com/errata/RHSA-2016:0070 - Third Party Advisory () https://access.redhat.com/errata/RHSA-2016:0070 - Third Party Advisory
References () https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli - Exploit () https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli - Exploit
References () https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11 - Vendor Advisory () https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11 - Vendor Advisory
References () https://www.exploit-db.com/exploits/38983/ - Exploit, Third Party Advisory, VDB Entry () https://www.exploit-db.com/exploits/38983/ - Exploit, Third Party Advisory, VDB Entry

09 Jan 2024, 02:16

Type Values Removed Values Added
References (BID) http://www.securityfocus.com/bid/77636 - (BID) http://www.securityfocus.com/bid/77636 - Broken Link
References (MLIST) http://www.openwall.com/lists/oss-security/2015/11/18/13 - (MLIST) http://www.openwall.com/lists/oss-security/2015/11/18/13 - Mailing List
References (MISC) http://packetstormsecurity.com/files/134805/Jenkins-CLI-RMI-Java-Deserialization.html - (MISC) http://packetstormsecurity.com/files/134805/Jenkins-CLI-RMI-Java-Deserialization.html - Exploit, Third Party Advisory, VDB Entry
References (MLIST) http://www.openwall.com/lists/oss-security/2015/11/18/2 - (MLIST) http://www.openwall.com/lists/oss-security/2015/11/18/2 - Mailing List
References (REDHAT) https://access.redhat.com/errata/RHSA-2016:0070 - (REDHAT) https://access.redhat.com/errata/RHSA-2016:0070 - Third Party Advisory
References (MLIST) http://www.openwall.com/lists/oss-security/2015/11/09/5 - (MLIST) http://www.openwall.com/lists/oss-security/2015/11/09/5 - Mailing List
References (REDHAT) http://rhn.redhat.com/errata/RHSA-2016-0489.html - (REDHAT) http://rhn.redhat.com/errata/RHSA-2016-0489.html - Third Party Advisory
References (MLIST) http://www.openwall.com/lists/oss-security/2015/11/18/11 - (MLIST) http://www.openwall.com/lists/oss-security/2015/11/18/11 - Mailing List
References (CONFIRM) https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli - (CONFIRM) https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli - Exploit
References (EXPLOIT-DB) https://www.exploit-db.com/exploits/38983/ - (EXPLOIT-DB) https://www.exploit-db.com/exploits/38983/ - Exploit, Third Party Advisory, VDB Entry
CVSS v2 : 7.5
v3 : unknown
v2 : 7.5
v3 : 9.8
CWE CWE-77 CWE-502
CPE cpe:2.3:a:redhat:openshift:2.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:3.1:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:2.2:*:*:*:*:*:*:*
First Time Redhat openshift Container Platform

Information

Published : 2015-11-25 20:59

Updated : 2024-11-21 02:38


NVD link : CVE-2015-8103

Mitre link : CVE-2015-8103

CVE.ORG link : CVE-2015-8103


JSON object : View

Products Affected

jenkins

  • jenkins

redhat

  • openshift_container_platform
CWE
CWE-502

Deserialization of Untrusted Data