Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 9 Nov 2015 15:19:36 +0100
From: Daniel Beck <>
Subject: CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization


Please assign a CVE to this issue:

Remote code execution vulnerability due to unsafe deserialization in Jenkins remoting
Unsafe deserialization allows unauthenticated remote attackers to run arbitrary code on the Jenkins master.
This is tracked as SECURITY-218 in the Jenkins project. All current Jenkins releases are affected.

Public exploit:

Temporary workaround:

A related issue is being discussed here:
Jenkins is affected by both this and the Groovy variant in 'ysoserial'.

We plan to release a fix for this as part of our planned security update on Wednesday.


Daniel Beck

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ