CVE-2022-0538

CWE-502Deserialization of Untrusted Data6 documents6 sources
Severity
7.5HIGH
EPSS
0.6%
top 31.25%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins JenkinsJenkins Project Jenkins
Timeline
PublishedFeb 9
Latest updateFeb 10

Description

Jenkins 2.333 and earlier, LTS 2.319.2 and earlier defines custom XStream converters that have not been updated to apply the protections for the vulnerability CVE-2021-43859 and allow unconstrained resource usage.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDjenkins/jenkins< 2.319.3+1
Mavenorg.jenkins-ci.main:jenkins-core2.3202.334+1
CVEListV5jenkins_project/jenkinsunspecified2.333+1

🔴Vulnerability Details

3
OSV
DoS vulnerability in bundled XStream library in Jenkins Core2022-02-10
GHSA
DoS vulnerability in bundled XStream library in Jenkins Core2022-02-10
CVEList
CVE-2022-0538: Jenkins 22022-02-09

📋Vendor Advisories

2
Red Hat
jenkins: DoS vulnerability in bundled XStream library2022-02-09
Jenkins
Jenkins Security Advisory 2022-02-092022-02-09
CVE-2022-0538 (HIGH CVSS 7.5) | Jenkins 2.333 and earlier | cvebase.io