CVE-2022-41237Deserialization of Untrusted Data in Project Jenkins Dotci Plugin

CWE-502Deserialization of Untrusted Data5 documents5 sources
Severity
9.8CRITICALNVD
EPSS
1.1%
top 22.25%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins Project Jenkins Dotci PluginJenkins Dotci
Timeline
PublishedSep 21
Latest updateSep 22

Description

Jenkins DotCi Plugin 2.40.00 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

CVEListV5jenkins_project/jenkins_dotci_pluginunspecified2.40.00
NVDjenkins/dotci2.40.00

🔴Vulnerability Details

3
OSV
RCE vulnerability in Jenkins DotCi Plugin2022-09-22
GHSA
RCE vulnerability in Jenkins DotCi Plugin2022-09-22
CVEList
CVE-2022-41237: Jenkins DotCi Plugin 22022-09-21

📋Vendor Advisories

1
Jenkins
Jenkins Security Advisory 2022-09-212022-09-21
CVE-2022-41237 — Deserialization of Untrusted Data | cvebase