CVE-2016-0792

🗓️ 07 Apr 2016 23:00:00Reported by redhatType

cve🔗 web.nvd.nist.gov📰️ 5 Media mentions👁 217 Views🌐 WEB

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file

Reporter	Title	Published	Views	Family All 66
Gitee	Exploit for Improper Input Validation in Jenkins	4 Sep 201908:16	–	gitee
Gitee	Exploit for Improper Input Validation in Jenkins	23 Mar 202015:45	–	gitee
Gitee	Exploit for Improper Input Validation in Jenkins	28 Mar 202000:40	–	gitee
Gitee	Exploit for Improper Input Validation in Jenkins	8 Mar 202010:44	–	gitee
Gitee	Exploit for Improper Input Validation in Jenkins	17 Jul 202001:14	–	gitee
Gitee	Exploit for Deserialization of Untrusted Data in Redhat Data_Grid	15 Sep 202009:08	–	gitee
Gitee	Exploit for Deserialization of Untrusted Data in Ibm Sterling_B2B_Integrator	3 Aug 202504:13	–	gitee
Gitee	Exploit for Improper Input Validation in Jenkins	6 Jul 202503:23	–	gitee
Gitee	Exploit for Deserialization of Untrusted Data in Redhat Data_Grid	29 Oct 202013:31	–	gitee
0day.today	Jenkins < 1.650 - Java Deserialization Exploit	31 Jul 201700:00	–	zdt

NVD

Node

jenkins jenkinsRange≤1.649

Node

redhat openshiftMatch3.1enterprise

Node

jenkins jenkinsRange≤1.642.1lts

Source	Link
exploit-db	www.exploit-db.com/exploits/42394/
exploit-db	www.exploit-db.com/exploits/43375/
contrastsecurity	www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream
access	www.access.redhat.com/errata/RHSA-2016:0711
wiki	www.wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24
rhn	www.rhn.redhat.com/errata/RHSA-2016-1773.html

Parameter	Position	Path	Description	CWE
name	request body	/jenkins/createItem?name=knownsec	Remote code execution via XML deserialization using Groovy Expando (CVE-2016-0792) in Jenkins before 1.650 via crafted XML payload	CWE-20

06 May 2026 22:30Current

9.1High risk

Vulners AI Score9.1

CVSS 38.8

CVSS 29

EPSS0.90556

CWE-20