Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0zNHd4LXgydzktdnFtM80qIg
DoS vulnerability in bundled XStream library in Jenkins Core
Jenkins 2.333 and earlier, LTS 2.319.2 and earlier is affected by the XStream library’s vulnerability CVE-2021-43859. This library is used by Jenkins to serialize and deserialize various XML files, like global and job config.xml, build.xml, and numerous others.
This allows attackers able to submit crafted XML files to Jenkins to be parsed as configuration, e.g. through the POST config.xml API, to cause a denial of service (DoS).
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zNHd4LXgydzktdnFtM80qIg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: 4 months ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-34wx-x2w9-vqm3, CVE-2022-0538
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-0538
- https://www.jenkins.io/security/advisory/2022-02-09/#SECURITY-2602
- http://www.openwall.com/lists/oss-security/2022/02/09/1
- https://github.com/jenkinsci/jenkins/commit/8276aef4cc3dd81810fe6bdf6fa48141632c4636
- https://github.com/advisories/GHSA-34wx-x2w9-vqm3
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.main:jenkins-core
Affected Version Ranges: < 2.319.3, >= 2.320, < 2.334Fixed in: 2.319.3, 2.334