The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".

Threat-Mapped Scoring

Score: 1.8

Priority: P4 - Informational (Low)

• S9 – Sabotage of System/App

EPSS

Score: 0.90634
Percentile: 0.99587

CVSS Scoring

Mapped CWE(s)

• CWE-502 : Deserialization of Untrusted Data

All CAPEC(s)

CAPEC(s) with Mapped TTPs

Mapped ATT&CK TTPs

Affected Products

• cpe:2.3:a:redhat:openshift_container_platform:2.2:*:*:*:*:*:*:*
• cpe:2.3:a:redhat:openshift_container_platform:3.1:*:*:*:*:*:*:*
• cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*
• cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*

← Back to Home