CVE-2018-1999042 — Deserialization of Untrusted Data in Jenkins

CWE-502 — Deserialization of Untrusted Data7 documents6 sources

Severity

5.3MEDIUMNVD

EPSS

0.2%

top 54.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Jenkins Core Jenkins LTS +1 more

Timeline

PublishedAug 23

Latest updateMay 14

Description

A vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in XStream2.java that allows attackers to have Jenkins resolve a domain name when deserializing an instance of java.net.URL.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

▶NVDjenkins/jenkins2.121.2+1

▶jenkinsjenkins/jenkins_lts

▶jenkinsjenkins/jenkins_core

▶jenkinsjenkins/jenkins_weekly

🔴Vulnerability Details

GHSA

Deserialization of Untrusted Data in Jenkins↗2022-05-14

▶

OSV

Deserialization of Untrusted Data in Jenkins↗2022-05-14

▶

📋Vendor Advisories

Red Hat

jenkins: Deserialization of URL objects with host components↗2018-08-15

▶

Jenkins

Jenkins Security Advisory 2018-08-15↗2018-08-15

▶

💬Community

Bugzilla

CVE-2018-1999042 jenkins: Deserialization of URL objects with host components [fedora-all]↗2018-08-23

▶

Bugzilla

CVE-2018-1999042 jenkins: Deserialization of URL objects with host components↗2018-08-23

▶