Описание
Improper Neutralization of Special Elements used in an LDAP Query in Jenkins
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2016-9299
- https://github.com/jenkinsci/jenkins/commit/6078dd7aa097baf3402de9d5279f6053926a1ea7
- https://github.com/jenkinsci/jenkins/commit/ce8a2d51a5ee9ca12d0a75659b06161888e0a1bf
- https://github.com/jenkinsci/jenkins/commit/d84d9a2ad3825f316f805a18b3654b0803e0d7fc
- https://github.com/jenkinsci/jenkins/commit/f574224cae5ffde2bc4c996305c0dcf5ab135440
- https://github.com/jenkinsci/jenkins/commit/fde9c42fe05ac925a904b6c09a81d497d0e6ccea
- https://groups.google.com/forum/#!original/jenkinsci-advisories/-fc-w9tNEJE/GRvEzWoJBgAJ
- https://groups.google.com/forum/#!original/jenkinsci-advisories/-fc-w9tNEJE/LZ7EOS0fBgAJ
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZW2KUKYLNLVDB7STLHLYALCUFLEGCRM6
- https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-11-16
- https://www.cloudbees.com/jenkins-security-advisory-2016-11-16
- https://www.exploit-db.com/exploits/44642
- http://www.openwall.com/lists/oss-security/2016/11/12/4
- http://www.openwall.com/lists/oss-security/2016/11/14/9
- http://www.slideshare.net/codewhitesec/java-deserialization-vulnerabilities-the-forgotten-bug-class-deepsec-edition
Пакеты
org.jenkins-ci.main:jenkins-core
>= 2.20, <= 2.31
2.32
org.jenkins-ci.main:jenkins-core
<= 2.19.2
2.19.3
Связанные уязвимости
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allow ...