Jenkins XStream Groovy classpath Deserialization

Posted by deepcore on December 20, 2017 – 2:49 am

This Metasploit module exploits CVE-2016-0792 a vulnerability in Jenkins versions older than 1.650 and Jenkins LTS versions older than 1.642.2 which is caused by unsafe deserialization in XStream with Groovy in the classpath, which allows remote arbitrary code execution. The issue affects default installations. Authentication is not required to exploit the vulnerability.

This post is under “exploit” and has no respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

Post a reply

You must be logged in to post a comment.

« Tuleap 9.6 Second-Order PHP Object Injection Joomla! JB Visa 1.0 SQL Injection »

:: Deepquest ::

This site contains information which could be considered illegal in some countries. It is provided here for educational use only and is not intended to be used for illegal activities.

Jenkins XStream Groovy classpath Deserialization

Post a reply

Tabs Switcher

Categories

Archives

Meta

BLOGROLL