Lucene search

RedhatCVE-2016-0792

HistoryApr 07, 2016 - 11:59 p.m.

CVE-2016-0792

2016-04-0723:59:03

CWE-20

redhat

web.nvd.nist.gov

cve-2016-0792

jenkins

api endpoints

remote code execution

xstream

groovy.util.expando

nvd

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

9.1

Confidence

High

EPSS

0.972

Percentile

99.9%

JSON

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.

Affected configurations

Nvd

Node

jenkinsjenkinsRange≤1.649

Node

redhatopenshiftMatch3.1enterprise

Node

jenkinsjenkinsRange≤1.642.1lts

VendorProductVersionCPE
jenkinsjenkins*cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*
redhatopenshift3.1cpe:2.3:a:redhat:openshift:3.1:*:*:*:enterprise:*:*:*
jenkinsjenkins*cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*

Vendor	Product	Version	CPE
jenkins	jenkins	*	cpe:2.3:a:jenkins:jenkins::::::::
redhat	openshift	3.1	cpe:2.3:a:redhat:openshift:3.1::::enterprise:::
jenkins	jenkins	*	cpe:2.3:a:jenkins:jenkins:::::lts:::*