Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2016-9299 — LDAP Injection in Jenkins

CWE-90 — LDAP Injection CWE-502 — Deserialization of Untrusted Data11 documents10 sources

Severity

9.8CRITICALNVD

EPSS

89.3%

top 0.46%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Jenkins Fedoraproject Fedora Jenkins Core +1 more

Timeline

PublishedJan 12

Latest updateMay 14

Description

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDjenkins/jenkins2.19.2+1

▶jenkinsjenkins/jenkins_lts

▶jenkinsjenkins/jenkins_core

Also affects: Fedora 25

🔴Vulnerability Details

GHSA

Improper Neutralization of Special Elements used in an LDAP Query in Jenkins↗2022-05-14

▶

OSV

Improper Neutralization of Special Elements used in an LDAP Query in Jenkins↗2022-05-14

▶

VulnCheck

Jenkins jenkins Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')↗2016

▶

💥Exploits & PoCs

Exploit-DB

Jenkins CLI - HTTP Java Deserialization (Metasploit)↗2018-05-17

▶

Metasploit

Jenkins CLI HTTP Java Deserialization Vulnerability↗

▶

Nuclei

Jenkins CLI - HTTP Java Deserialization

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2016-11-16↗2016-11-16

▶

Red Hat

jenkins: Java deserialization flaw leads to RCE↗2016-11-11

▶

💬Community

Bugzilla

CVE-2016-9299 jenkins: Java deserialization flaw leads to RCE [fedora-all]↗2016-11-15

▶

Bugzilla

CVE-2016-9299 jenkins: Java deserialization flaw leads to RCE↗2016-11-15

▶