Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2016-0792Improper Input Validation in Jenkins

CWE-20Improper Input ValidationCWE-502Deserialization of Untrusted Data14 documents9 sources
Severity
8.8HIGHNVD
EPSS
90.9%
top 0.37%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
JenkinsRedhat Openshift
Timeline
PublishedApr 7
Latest updateMay 14

Description

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

NVDjenkins/jenkins1.649+1

Patches

Patch: wiki.jenkins-ci.orgPatch: wiki.jenkins-ci.org

🔴Vulnerability Details

3
GHSA
Jenkins allows Deserialization of Untrusted Data via an XML File2022-05-14
OSV
Jenkins allows Deserialization of Untrusted Data via an XML File2022-05-14
CVEList
CVE-2016-0792: Multiple unspecified API endpoints in Jenkins before 12016-04-07

💥Exploits & PoCs

6
Exploit-DB
Jenkins - XStream Groovy classpath Deserialization (Metasploit)2017-12-19
Exploit-DB
Jenkins < 1.650 - Java Deserialization2017-07-30
Metasploit
Jenkins XStream Groovy classpath Deserialization Vulnerability
Metasploit
Microsoft Exchange ProxyLogon Collector
Metasploit
Microsoft Exchange ProxyLogon Scanner

📋Vendor Advisories

2
Red Hat
jenkins: Remote code execution through remote API (SECURITY-247)2016-02-24
Jenkins
Jenkins Security Advisory 2016-02-242016-02-24

💬Community

2
Bugzilla
CVE-2016-0788 CVE-2016-0789 CVE-2016-0790 CVE-2016-0791 CVE-2016-0792 jenkins: security advisory 2016-02-24 [fedora-all]2016-02-25
Bugzilla
CVE-2016-0792 jenkins: Remote code execution through remote API (SECURITY-247)2016-02-25
CVE-2016-0792 — Improper Input Validation in Jenkins | cvebase