CVE-2016-0792 — Vulnetix

Try Vulnetix Request Demo

CVE-2016-0792 PUBLISHED CVSS 9 CRITICAL

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.

EPSS 90.44% · 99.6th percentile

Risk Scores

CVSS v2.0

9

EPSS Score

90.44%

99.6th percentile

Affected Products

Vendor	Product	Versions
Maven	org.jenkins-ci.main:jenkins-core	1.643, 0
n/a	n/a	n/a
jenkins	jenkins	0, 0
redhat	openshift	3.1

Timeline

Apr 7, 2016 CVE Published
Jul 30, 2017 PoC Published
Jul 31, 2017 PoC Published
Dec 19, 2017 PoC Published
Dec 19, 2017 PoC Published
May 29, 2018 PoC Published
Feb 4, 2022 EPSS Score
Mar 28, 2022 EPSS Score
May 19, 2022 EPSS Score
Sep 1, 2022 EPSS Score
Oct 23, 2022 EPSS Score
Dec 14, 2022 EPSS Score

References

43375 exploit
RHSA-2016:0711 vendor-advisory
42394 exploit
https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream url
RHSA-2016:1773 vendor-advisory
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24 url
https://nvd.nist.gov/vuln/detail/CVE-2016-0792 advisory
https://github.com/jenkinsci/jenkins/commit/7f202f0317e60cd3160f61467b8558f864f83f41 url
https://github.com/jenkinsci/jenkins package
https://www.exploit-db.com/exploits/42394 url
https://www.exploit-db.com/exploits/43375 url

Open in Interactive Console →