Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2015-8103Deserialization of Untrusted Data in Jenkins

CWE-502Deserialization of Untrusted DataCWE-913Improper Control of Dynamically-Managed Code Resources16 documents12 sources
Severity
9.8CRITICALNVD
EPSS
90.4%
top 0.39%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
JenkinsRedhat Openshift Container Platform
Timeline
PublishedNov 25
Latest updateAug 17

Description

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

NVDjenkins/jenkins< 1.625.2+1

Also affects: Openshift Container Platform 2.2, 3.1

🔴Vulnerability Details

3
OSV
Jenkins CLI Deserialization of Untrusted Data vulnerability2022-05-13
GHSA
Jenkins CLI Deserialization of Untrusted Data vulnerability2022-05-13
CVEList
CVE-2015-8103: The Jenkins CLI subsystem in Jenkins before 12015-11-25

💥Exploits & PoCs

4
Exploit-DB
Jenkins CLI - RMI Java Deserialization (Metasploit)2015-12-15
Metasploit
OpenNMS Java Object Unserialization Remote Code Execution
Metasploit
Jenkins-CI Unauthenticated Script-Console Scanner
Metasploit
Jenkins CLI RMI Java Deserialization Vulnerability

📋Vendor Advisories

2
Red Hat
jenkins: Remote code execution vulnerability due to unsafe deserialization in Jenkins remoting (SECURITY-218)2015-11-11
Jenkins
Jenkins Security Advisory 2015-11-112015-11-11

🕵️Threat Intelligence

2
Recorded Future
Turning Criminal Forum Exploit Chatter Into Vulnerability Risk Analysis
Recorded Future
Turning Criminal Forum Exploit Chatter Into Vulnerability Risk Analysis | Recorded Future

📐Framework References

2
CWE
Deserialization of Untrusted Data
CWE
Improper Control of Dynamically-Managed Code Resources

📄Research Papers

1
arXiv
An In-depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities2022-08-17

💬Community

1
Bugzilla
CVE-2015-8103 jenkins: Remote code execution vulnerability due to unsafe deserialization in Jenkins remoting (SECURITY-218)2015-11-16
CVE-2015-8103 — Deserialization of Untrusted Data | cvebase