oss-sec mailing list archives
CVE request: Jenkins remote code execution vulnerability
From: Daniel Beck <ml () beckweb net>
Date: Sun, 13 Nov 2016 00:13:40 +0100
Hello, An unauthenticated remote code execution vulnerability was discovered in the Jenkins continuous integration and continuous delivery automation server. A serialized Java object transferred to the Jenkins CLI can make Jenkins connect to an attacker-controlled LDAP server, which in turn can send a serialized payload leading to code execution, bypassing existing protection mechanisms. The Jenkins project tracks this as SECURITY-360. Releases with the fix are planned for Wednesday, November 16. Please assign a CVE to this issue. References: Jenkins website: https://jenkins.io/ Publication of the vulnerability in this talk: https://www.deepsec.net/speaker.html#PSLOT250 Notification and workaround by the Jenkins project here: https://groups.google.com/d/msg/jenkinsci-advisories/-fc-w9tNEJE/GRvEzWoJBgAJ
Current thread:
- CVE request: Jenkins remote code execution vulnerability Daniel Beck (Nov 12)
- Re: CVE request: Jenkins remote code execution vulnerability cve-assign (Nov 14)