CVE-2016-0792 – org.jenkins-ci.main:jenkins-core

Package

Manager: maven
Name: org.jenkins-ci.main:jenkins-core
Vulnerable Version: >=1.643 <1.650 || >=0 <1.642.2

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.89805 pctl0.99545

Details

Jenkins allows Deserialization of Untrusted Data via an XML File Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.

Metadata

Created: 2022-05-14T03:58:15Z
Modified: 2025-03-13T18:02:41Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-45rg-g72w-r393/GHSA-45rg-g72w-r393.json
CWE IDs: ["CWE-20", "CWE-502"]
Alternative ID: GHSA-45rg-g72w-r393
Finding: F096
Auto approve: 1