cbcvebase.
CVE-2016-0792
published 2016-04-07

CVE-2016-0792: Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized…

PriorityP277high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
82.70%
99.6th percentile
Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.

Affected

5 ranges
VendorProductVersion rangeFixed in
jenkinsjenkins<= 1.649
jenkinsjenkins<= 1.642.1
jenkinsjenkins_core
jenkinsjenkins_lts
redhatopenshift

Detection & IOCsextracted from sources · hover to see the quote

url/createItem?name=<random>
otherContent-Type: application/xml
port8080
url/createItem
othergroovy.util.Expando XStream deserialization XML payload with hashCode/expandoProperties/map/entry structure
  • Detect HTTP POST requests to the Jenkins /createItem endpoint with Content-Type: application/xml — this is the attack vector used to deliver the malicious XStream deserialization payload.
  • Alert on XML POST bodies to Jenkins API endpoints that contain the groovy.util.Expando class reference combined with 'hashCode' and 'expandoProperties' elements, which are the hallmarks of the XStream Groovy deserialization gadget chain.
  • Authentication is not required to exploit this vulnerability in the Metasploit module, so unauthenticated POST requests to /createItem carrying XML bodies should be treated as high-fidelity alerts on Jenkins instances.
  • A 500 HTTP response code from Jenkins after a POST to /createItem with an XML payload is treated by the exploit as a success indicator — correlate 500 responses on this endpoint with suspicious XML POST bodies.
  • ·The vulnerability affects Jenkins main line releases up to and including 1.649 and all LTS releases up to and including 1.642.1; the fix is present only in 1.650+ (main line) and 1.642.2+ (LTS).
  • ·The issue affects default Jenkins installations — no special configuration is required for the system to be vulnerable, as Groovy is present in the default classpath.
  • ·The vulnerability is triggered via multiple unspecified API endpoints (not just /createItem), so blocking a single endpoint is insufficient for full remediation.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.