Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0yeDloLWgzYzQtd3FxaM4AATaP
Improper Neutralization of Special Elements used in an LDAP Query in Jenkins
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.
Permalink: https://github.com/advisories/GHSA-2x9h-h3c4-wqqhJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yeDloLWgzYzQtd3FxaM4AATaP
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 2 years ago
Updated: about 1 month ago
CVSS Score: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-2x9h-h3c4-wqqh, CVE-2016-9299
References:
- https://nvd.nist.gov/vuln/detail/CVE-2016-9299
- https://groups.google.com/forum/#!original/jenkinsci-advisories/-fc-w9tNEJE/GRvEzWoJBgAJ
- https://groups.google.com/forum/#!original/jenkinsci-advisories/-fc-w9tNEJE/LZ7EOS0fBgAJ
- https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-11-16
- https://www.cloudbees.com/jenkins-security-advisory-2016-11-16
- http://www.openwall.com/lists/oss-security/2016/11/12/4
- http://www.openwall.com/lists/oss-security/2016/11/14/9
- http://www.slideshare.net/codewhitesec/java-deserialization-vulnerabilities-the-forgotten-bug-class-deepsec-edition
- https://github.com/jenkinsci/jenkins/commit/6078dd7aa097baf3402de9d5279f6053926a1ea7
- https://github.com/jenkinsci/jenkins/commit/ce8a2d51a5ee9ca12d0a75659b06161888e0a1bf
- https://github.com/jenkinsci/jenkins/commit/d84d9a2ad3825f316f805a18b3654b0803e0d7fc
- https://github.com/jenkinsci/jenkins/commit/f574224cae5ffde2bc4c996305c0dcf5ab135440
- https://github.com/jenkinsci/jenkins/commit/fde9c42fe05ac925a904b6c09a81d497d0e6ccea
- https://lists.fedoraproject.org/archives/list/[email protected]/message/ZW2KUKYLNLVDB7STLHLYALCUFLEGCRM6
- https://www.exploit-db.com/exploits/44642
- https://github.com/advisories/GHSA-2x9h-h3c4-wqqh
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.main:jenkins-core
Affected Version Ranges: <= 2.19.2, >= 2.20, <= 2.31Fixed in: 2.19.3, 2.32