GHSA-58pr-hprx-7hg6

Опубликовано: 24 мая 2022

Источник: github

Github: Прошло ревью

CVSS3: 8.8

Описание

RCE vulnerability in Jenkins Code Coverage API Plugin

Jenkins Code Coverage API Plugin 1.4.0 and earlier does not apply JEP-200 deserialization protection to Java objects it deserializes from disk.

This results in a remote code execution (RCE) vulnerability exploitable by attackers able to control agent processes.

Jenkins Code Coverage API Plugin 1.4.1 configures its Java object deserialization to only deserialize safe types.

Ссылки

Пакеты

Наименование

io.jenkins.plugins:code-coverage-api

maven

Затронутые версииВерсия исправления

<= 1.4.0

1.4.1

EPSS

Процентиль: 79%

0.01198

Низкий

8.8 High

CVSS3

CVE ID

CVE-2021-21677

Дефекты

CWE-502

Связанные уязвимости

CVE-2021-21677

CVSS3: 8.8

nvd

больше 4 лет назад

Jenkins Code Coverage API Plugin 1.4.0 and earlier does not apply Jenkins JEP-200 deserialization protection to Java objects it deserializes from disk, resulting in a remote code execution vulnerability.

EPSS

Процентиль: 79%

0.01198

Низкий

8.8 High

CVSS3

CVE ID

CVE-2021-21677

Дефекты

CWE-502