Published: 25/11/2015 Updated: 09/01/2024

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 756

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

The Jenkins CLI subsystem in Jenkins prior to 1.638 and LTS prior to 1.625.2 allows remote malicious users to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".

Vulnerable Product	Search on Vulmon	Subscribe to Product
redhat openshift container platform 3.1
redhat openshift container platform 2.2
jenkins jenkins

The Jenkins CLI subsystem in Jenkins before 1638 and LTS before 16252 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*jar file and the "Groovy variant in 'ysoserial'" ...

## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::FileDropper def initialize(info = {}) super(update_inf ...

This Metasploit module exploits a vulnerability in Jenkins An unsafe deserialization bug exists on the Jenkins master, which allows remote arbitrary code execution Authentication is not required to exploit this vulnerability ...

Some PoC (Proof-of-Concept) about vulnerability of java deserialization of untrusted data

Java Deserialization Of Untrusted Data Here there are practical examples of the - deserialization of untrusted data - vulnerability These pocs use the ysoserial tool to generate exploits Pocs Minimal Example Use OpenJDK 18 cd MinimalExample java -jar /ysoserial-master-v005-gb617b7b-16jar CommonsCollections6 "/tmp/exploitsh">payloadser cp /exploit

Some PoC (Proof-of-Concept) about vulnerability of java deserialization of untrusted data

Java Deserialization Of Untrusted Data Here there are practical examples of the - deserialization of untrusted data - vulnerability These pocs use the ysoserial tool to generate exploits Pocs Minimal Example Use OpenJDK 18 cd MinimalExample java -jar /ysoserial-master-v005-gb617b7b-16jar CommonsCollections6 "/tmp/exploitsh">payloadser cp /exploit

Jenkins-CVE-2015-8103

cve-2015-8103

CVE-2015-8103 This is part of Cved: a tool to manage vulnerable docker containers Cved: githubcom/git-rep-src/cved Image source: githubcom/cved-sources/cve-2015-8103 Image author: githubcom/Medicean/VulApps/tree/master/j/jboss/1

CWE-502 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11 http://www.openwall.com/lists/oss-security/2015/11/18/13 https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli http://www.openwall.com/lists/oss-security/2015/11/09/5 http://www.securityfocus.com/bid/77636 http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#jenkins http://www.openwall.com/lists/oss-security/2015/11/18/2 http://www.openwall.com/lists/oss-security/2015/11/18/11 https://access.redhat.com/errata/RHSA-2016:0070 http://rhn.redhat.com/errata/RHSA-2016-0489.html https://www.exploit-db.com/exploits/38983/http://packetstormsecurity.com/files/134805/Jenkins-CLI-RMI-Java-Deserialization.html https://nvd.nist.gov https://www.exploit-db.com/exploits/38983/https://github.com/EdoardoVignati/java-deserialization-of-untrusted-data-poc https://access.redhat.com/security/cve/cve-2015-8103

CVE-2015-8103

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Exploits

Github Repositories

References

Vulmon Search

About

Products

Connect