CVE-2016-0792
published 2016-04-07CVE-2016-0792: Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized…
PriorityP277high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
82.70%
99.6th percentile
Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | jenkins | <= 1.649 | — |
| jenkins | jenkins | <= 1.642.1 | — |
| jenkins | jenkins_core | — | — |
| jenkins | jenkins_lts | — | — |
| redhat | openshift | — | — |
Detection & IOCsextracted from sources · hover to see the quote
othergroovy.util.Expando XStream deserialization XML payload with hashCode/expandoProperties/map/entry structure↗
- →Detect HTTP POST requests to the Jenkins /createItem endpoint with Content-Type: application/xml — this is the attack vector used to deliver the malicious XStream deserialization payload. ↗
- →Alert on XML POST bodies to Jenkins API endpoints that contain the groovy.util.Expando class reference combined with 'hashCode' and 'expandoProperties' elements, which are the hallmarks of the XStream Groovy deserialization gadget chain. ↗
- →Authentication is not required to exploit this vulnerability in the Metasploit module, so unauthenticated POST requests to /createItem carrying XML bodies should be treated as high-fidelity alerts on Jenkins instances. ↗
- →A 500 HTTP response code from Jenkins after a POST to /createItem with an XML payload is treated by the exploit as a success indicator — correlate 500 responses on this endpoint with suspicious XML POST bodies. ↗
- ·The vulnerability affects Jenkins main line releases up to and including 1.649 and all LTS releases up to and including 1.642.1; the fix is present only in 1.650+ (main line) and 1.642.2+ (LTS). ↗
- ·The issue affects default Jenkins installations — no special configuration is required for the system to be vulnerable, as Groovy is present in the default classpath. ↗
- ·The vulnerability is triggered via multiple unspecified API endpoints (not just /createItem), so blocking a single endpoint is insufficient for full remediation. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Jenkins allows Deserialization of Untrusted Data via an XML File
ghsa·2022-05-14
CVE-2016-0792 [HIGH] CWE-20 Jenkins allows Deserialization of Untrusted Data via an XML File
Jenkins allows Deserialization of Untrusted Data via an XML File
Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.
OSV
Jenkins allows Deserialization of Untrusted Data via an XML File
osv·2022-05-14
CVE-2016-0792 [HIGH] Jenkins allows Deserialization of Untrusted Data via an XML File
Jenkins allows Deserialization of Untrusted Data via an XML File
Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.
Red Hat
jenkins: Remote code execution through remote API (SECURITY-247)
vendor_redhat·2016-02-24·CVSS 8.8
CVE-2016-0792 [HIGH] jenkins: Remote code execution through remote API (SECURITY-247)
jenkins: Remote code execution through remote API (SECURITY-247)
Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.
Jenkins
Jenkins Security Advisory 2016-02-24
vendor_jenkins·2016-02-24·CVSS 9.8
CVE-2016-0788 [CRITICAL] Jenkins Security Advisory 2016-02-24
Title: Jenkins Security Advisory 2016-02-24
Jenkins Security Advisory 2016-02-24
This advisory announces multiple vulnerabilities in Jenkins.
Description
Remote code execution vulnerability in remoting module
SECURITY-232 / CVE-2016-0788
A vulnerability in the Jenkins remoting module allowed unauthenticated remote attackers to open a JRMP listener on the server hosting the Jenkins controller process, which allowed arbitrary code execution.
HTTP response splitting vulnerability
SECURITY-238 / CVE-2016-0789
An HTTP response splitting vulnerability in the CLI command documentation allowed attackers to craft Jenkins URLs that serve malicious content.
Non-constant time comparison of API token
SECURITY-241 / CVE-2016-0790
The verifica
No detection rules found.
Exploit-DB
Jenkins - XStream Groovy classpath Deserialization (Metasploit)
exploitdb·2017-12-19·CVSS 8.8
CVE-2016-0792 [HIGH] Jenkins - XStream Groovy classpath Deserialization (Metasploit)
Jenkins - XStream Groovy classpath Deserialization (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Jenkins XStream Groovy classpath Deserialization Vulnerability',
'Description' => %q{
This module exploits CVE-2016-0792 a vulnerability in Jenkins versions older than 1.650 and Jenkins LTS versions
older than 1.642.2 which is caused by unsafe deserialization in XStream with Groovy in the classpath,
which allows remote arbitrary code execution. The issue affects default installations. Authentication
is not required to exploit the vulnerability.
},
'Author' =>
[
'Arshan Dabirsiaghi', # Vulnerability discovery
'Matt Byrne ' # Metasploit module
],
'DisclosureDate'
Exploit-DB
Jenkins < 1.650 - Java Deserialization
exploitdb·2017-07-30·CVSS 8.8
CVE-2016-0792 [HIGH] Jenkins < 1.650 - Java Deserialization
Jenkins {entry}'
xml = f'''
hashCode
{preparedCommands}
start
1
'''
return xml
def exploit(url, command):
print(f'[*] STARTING')
try:
print(f'[+] Trying to exploit Jenkins running at address: {url}')
# Perform initial URL check to see if server is online and returns correct response code using HEAD request
headResponse = requests.head(url, timeout=30)
if headResponse.status_code == requests.codes.ok:
print(f'[+] Server online and responding | RESPONSE: {headResponse.status_code}')
# Check if X-Jenkins header containing version is present then proceed
jenkinsVersionHeader = headResponse.headers.get('X-Jenkins')
if jenkinsVersionHeader is not None:
# Strip version after second dot from header to perform conversion to Decimal
stripCharacter = "."
strippedVersion = stripChara
Metasploit
Jenkins XStream Groovy classpath Deserialization Vulnerability
metasploit·CVSS 8.8
CVE-2016-0792 [HIGH] Jenkins XStream Groovy classpath Deserialization Vulnerability
Jenkins XStream Groovy classpath Deserialization Vulnerability
This module exploits CVE-2016-0792 a vulnerability in Jenkins versions older than 1.650 and Jenkins LTS versions older than 1.642.2 which is caused by unsafe deserialization in XStream with Groovy in the classpath, which allows remote arbitrary code execution. The issue affects default installations. Authentication is not required to exploit the vulnerability.
Metasploit
Microsoft Exchange ProxyLogon Collector
metasploit·CVSS 9.8
CVE-2021-26855 [CRITICAL] Microsoft Exchange ProxyLogon Collector
Microsoft Exchange ProxyLogon Collector
This module exploit a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin (CVE-2021-26855). By taking advantage of this vulnerability, it is possible to dump all mailboxes (emails, attachments, contacts, ...). This vulnerability affects (Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010). All components are vulnerable by default.
Metasploit
Microsoft Exchange ProxyLogon Scanner
metasploit·CVSS 9.8
CVE-2021-26855 [CRITICAL] Microsoft Exchange ProxyLogon Scanner
Microsoft Exchange ProxyLogon Scanner
This module scan for a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin (CVE-2021-26855). By chaining this bug with another post-auth arbitrary-file-write vulnerability to get code execution (CVE-2021-27065). As a result, an unauthenticated attacker can execute arbitrary commands on Microsoft Exchange Server. This vulnerability affects (Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010). All components are vulnerable by default.
Metasploit
Microsoft Exchange ProxyLogon RCE
metasploit·CVSS 9.8
CVE-2021-26855 [CRITICAL] Microsoft Exchange ProxyLogon RCE
Microsoft Exchange ProxyLogon RCE
This module exploit a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication, impersonating as the admin (CVE-2021-26855) and write arbitrary file (CVE-2021-27065) to get the RCE (Remote Code Execution). By taking advantage of this vulnerability, you can execute arbitrary commands on the remote Microsoft Exchange Server. This vulnerability affects (Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010). All components are vulnerable by default.
Bugzilla
CVE-2016-0788 CVE-2016-0789 CVE-2016-0790 CVE-2016-0791 CVE-2016-0792 jenkins: security advisory 2016-02-24 [fedora-all]
bugzilla·2016-02-25·CVSS 9.8
CVE-2016-0788 [CRITICAL] CVE-2016-0788 CVE-2016-0789 CVE-2016-0790 CVE-2016-0791 CVE-2016-0792 jenkins: security advisory 2016-02-24 [fedora-all]
CVE-2016-0788 CVE-2016-0789 CVE-2016-0790 CVE-2016-0791 CVE-2016-0792 jenkins: security advisory 2016-02-24 [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this is
Bugzilla
CVE-2016-0792 jenkins: Remote code execution through remote API (SECURITY-247)
bugzilla·2016-02-25·CVSS 8.8
CVE-2016-0792 [HIGH] CVE-2016-0792 jenkins: Remote code execution through remote API (SECURITY-247)
CVE-2016-0792 jenkins: Remote code execution through remote API (SECURITY-247)
The following flaw was found in Jenkins:
Jenkins has several API endpoints that allow low-privilege users to POST XML files that then get deserialized by Jenkins. Maliciously crafted XML files sent to these API endpoints could result in arbitrary code execution.
External References:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24
Discussion:
Created jenkins tracking bugs for this issue:
Affects: fedora-all [bug 1311952]
---
jenkins-1.625.3-3.fc23, jenkins-remoting-2.53.3-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
---
jenkins-1.609.3-6.fc22, jenkins-remoting-2.53.3-1.fc22 has been pus
Greynoiseio
NoiseLetter February 2026
blogs_greynoiseio
NoiseLetter February 2026
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://rhn.redhat.com/errata/RHSA-2016-1773.htmlhttps://access.redhat.com/errata/RHSA-2016:0711https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstreamhttps://www.exploit-db.com/exploits/42394/https://www.exploit-db.com/exploits/43375/http://rhn.redhat.com/errata/RHSA-2016-1773.htmlhttps://access.redhat.com/errata/RHSA-2016:0711https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstreamhttps://www.exploit-db.com/exploits/42394/https://www.exploit-db.com/exploits/43375/
2016-04-07
Published