Date: Sun, 13 Nov 2016 00:13:40 +0100 From: Daniel Beck <ml@...kweb.net> To: oss-security@...ts.openwall.com Subject: CVE request: Jenkins remote code execution vulnerability Hello, An unauthenticated remote code execution vulnerability was discovered in the Jenkins continuous integration and continuous delivery automation server. A serialized Java object transferred to the Jenkins CLI can make Jenkins connect to an attacker-controlled LDAP server, which in turn can send a serialized payload leading to code execution, bypassing existing protection mechanisms. The Jenkins project tracks this as SECURITY-360. Releases with the fix are planned for Wednesday, November 16. Please assign a CVE to this issue. References: Jenkins website: https://jenkins.io/ Publication of the vulnerability in this talk: https://www.deepsec.net/speaker.html#PSLOT250 Notification and workaround by the Jenkins project here: https://groups.google.com/d/msg/jenkinsci-advisories/-fc-w9tNEJE/GRvEzWoJBgAJ
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ