Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383).
{"redhatcve": [{"lastseen": "2021-09-02T22:51:24", "description": "Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383).\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-02-02T15:19:40", "type": "redhatcve", "title": "CVE-2017-2608", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2608"], "modified": "2019-10-12T00:43:32", "id": "RH:CVE-2017-2608", "href": "https://access.redhat.com/security/cve/cve-2017-2608", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-11-10T08:11:19", "description": "A flaw was found in xstream. An unsafe deserialization of user-supplied XML, in conjunction with relying on the default deny list, allows a remote attacker to perform a variety of attacks including a remote code execution of arbitrary code in the context of the JVM running the XStream application. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.\n#### Mitigation\n\nDepending on the version of XStream used there are various usage patterns that mitigate this flaw, though we would strongly recommend using the allow list approach if at all possible as there are likely more class combinations the deny list approach may not address. \n\n\nAllow list approach \n\n \n \n java \n XStream xstream = new XStream(); \n XStream.setupDefaultSecurity(xstream); \n xstream.allowTypesByWildcard(new String[] {\"com.misc.classname\"}) \n \n\nDeny list for XStream 1.4.13 \n\n \n \n java \n xstream.denyTypes(new String[]{ \"javax.imageio.ImageIO$ContainsFilter\" }); \n xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class }); \n \n\nDeny list for XStream 1.4.7 -> 1.4.12 \n\n \n \n java \n xstream.denyTypes(new String[]{ \"javax.imageio.ImageIO$ContainsFilter\" }); \n xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class }); \n \n\nDeny list for versions prior to XStream 1.4.7 \n\n \n \n java \n xstream.registerConverter(new Converter() { \n public boolean canConvert(Class type) { \n return type != null && (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class || type == java.lang.Void.class || void.class || type.getName().equals(\"javax.imageio.ImageIO$ContainsFilter\") || Proxy.isProxy(type)); \n } \n \n public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) { \n throw new ConversionException(\"Unsupported type due to security reasons.\"); \n } \n \n public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) { \n throw new ConversionException(\"Unsupported type due to security reasons.\"); \n } \n }, XStream.PRIORITY_LOW); \n \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-18T10:26:26", "type": "redhatcve", "title": "CVE-2020-26217", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2608", "CVE-2020-26217"], "modified": "2022-11-10T06:21:14", "id": "RH:CVE-2020-26217", "href": "https://access.redhat.com/security/cve/cve-2020-26217", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-11-10T08:11:01", "description": "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist if running Java 15 or higher. No user is affected who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.\n#### Mitigation\n\nAs recommended, use XStream's security framework to implement a whitelist for the allowed types. \n\n\nUsers of XStream 1.4.14 who insist to use XStream default blacklist - despite that clear recommendation - can simply add two lines to XStream's setup code: \n\n\nxstream.denyTypes(new String[]{ "jdk.nashorn.internal.objects.NativeString" }); \nxstream.denyTypesByRegExp(new String[]{ ".*\\\\\\\\.ReadAllStream\\\\\\$FileStream" }); \n\n\nUsers of XStream 1.4.13 who want to use XStream default blacklist can simply add three lines to XStream's setup code: \n\n\nxstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter", "jdk.nashorn.internal.objects.NativeString" }); \nxstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class }); \nxstream.denyTypesByRegExp(new String[]{ ".*\\\\\\\\.ReadAllStream\\\\\\$FileStream" }); \n\n\nUsers of XStream 1.4.12 to 1.4.7 who want to use XStream with a blacklist will have to setup such a list from scratch and deny at least the following types: javax.imageio.ImageIO$ContainsFilter, java.beans.EventHandler, java.lang.ProcessBuilder, jdk.nashorn.internal.objects.NativeString, java.lang.Void and void and deny several types by name pattern. \n\n\nxstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter", "jdk.nashorn.internal.objects.NativeString" }); \nxstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class }); \nxstream.denyTypesByRegExp(new String[]{ ".*\\\\\\$LazyIterator", "javax\\\\\\\\.crypto\\\\\\\\..*", ".*\\\\\\\\.ReadAllStream\\\\\\$FileStream" }); \n\n\nUsers of XStream 1.4.6 or below can register an own converter to prevent the unmarshalling of the currently know critical types of the Java runtime. It is in fact an updated version of the workaround for CVE-2013-7285: \n\n\nxstream.registerConverter(new Converter() { \n public boolean canConvert(Class type) { \n return type != null && (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class \n || type.getName().equals("javax.imageio.ImageIO$ContainsFilter") || type.getName().equals("jdk.nashorn.internal.objects.NativeString") \n || type == java.lang.Void.class || void.class || Proxy.isProxy(type) \n || type.getName().startsWith("javax.crypto.") || type.getName().endsWith("$LazyIterator") || type.getName().endsWith(".ReadAllStream$FileStream")); \n } \n\n\n public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) { \n throw new ConversionException("Unsupported type due to security reasons."); \n } \n\n\n public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) { \n throw new ConversionException("Unsupported type due to security reasons."); \n } \n}, XStream.PRIORITY_LOW); \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-17T20:48:37", "type": "redhatcve", "title": "CVE-2020-26258", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-7285", "CVE-2017-2608", "CVE-2020-26258"], "modified": "2022-11-10T06:21:24", "id": "RH:CVE-2020-26258", "href": "https://access.redhat.com/security/cve/cve-2020-26258", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-11-10T08:11:01", "description": "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist running Java 15 or higher. No user is affected, who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.\n#### Mitigation\n\nAs recommended, use XStream's security framework to implement a whitelist for the allowed types. \n\n\nUsers of XStream 1.4.14 who insist to use XStream default blacklist - despite that clear recommendation - can simply add two lines to XStream's setup code: \n\n\nxstream.denyTypes(new String[]{ "jdk.nashorn.internal.objects.NativeString" }); \nxstream.denyTypesByRegExp(new String[]{ ".*\\\\\\\\.ReadAllStream\\\\\\$FileStream" }); \n\n\nUsers of XStream 1.4.13 who want to use XStream default blacklist can simply add three lines to XStream's setup code: \n\n\nxstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter", "jdk.nashorn.internal.objects.NativeString" }); \nxstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class }); \nxstream.denyTypesByRegExp(new String[]{ ".*\\\\\\\\.ReadAllStream\\\\\\$FileStream" }); \n\n\nUsers of XStream 1.4.12 to 1.4.7 who want to use XStream with a blacklist will have to setup such a list from scratch and deny at least the following types: javax.imageio.ImageIO$ContainsFilter, java.beans.EventHandler, java.lang.ProcessBuilder, jdk.nashorn.internal.objects.NativeString, java.lang.Void and void and deny several types by name pattern. \n\n\nxstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter", "jdk.nashorn.internal.objects.NativeString" }); \nxstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class }); \nxstream.denyTypesByRegExp(new String[]{ ".*\\\\\\$LazyIterator", "javax\\\\\\\\.crypto\\\\\\\\..*", ".*\\\\\\\\.ReadAllStream\\\\\\$FileStream" }); \n\n\nUsers of XStream 1.4.6 or below can register an own converter to prevent the unmarshalling of the currently know critical types of the Java runtime. It is in fact an updated version of the workaround for CVE-2013-7285: \n\n\nxstream.registerConverter(new Converter() { \n public boolean canConvert(Class type) { \n return type != null && (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class \n || type.getName().equals("javax.imageio.ImageIO$ContainsFilter") || type.getName().equals("jdk.nashorn.internal.objects.NativeString") \n || type == java.lang.Void.class || void.class || Proxy.isProxy(type) \n || type.getName().startsWith("javax.crypto.") || type.getName().endsWith("$LazyIterator") || type.getName().endsWith(".ReadAllStream$FileStream")); \n } \n\n\n public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) { \n throw new ConversionException("Unsupported type due to security reasons."); \n } \n\n\n public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) { \n throw new ConversionException("Unsupported type due to security reasons."); \n } \n}, XStream.PRIORITY_LOW); \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-17T20:48:46", "type": "redhatcve", "title": "CVE-2020-26259", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-7285", "CVE-2017-2608", "CVE-2020-26259"], "modified": "2022-11-10T06:21:34", "id": "RH:CVE-2020-26259", "href": "https://access.redhat.com/security/cve/cve-2020-26259", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "github": [{"lastseen": "2022-07-01T18:17:35", "description": "Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-13T01:36:54", "type": "github", "title": "Deserialization of Untrusted Data in Jenkins", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2608"], "modified": "2022-07-01T17:46:30", "id": "GHSA-FWQR-3PVP-PJWQ", "href": "https://github.com/advisories/GHSA-fwqr-3pvp-pjwq", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "seebug": [{"lastseen": "2017-11-19T12:01:53", "description": "No description provided by source.", "published": "2017-02-06T00:00:00", "type": "seebug", "title": "Jenkins remote code execution vulnerability (CVE-2017-2608)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-2608"], "modified": "2017-02-06T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92655", "id": "SSV:92655", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": ""}], "ubuntucve": [{"lastseen": "2022-08-04T13:49:47", "description": "Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code\nexecution vulnerability involving the deserialization of various types in\njavax.imageio in XStream-based APIs (SECURITY-383).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-05-15T00:00:00", "type": "ubuntucve", "title": "CVE-2017-2608", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2608"], "modified": "2018-05-15T00:00:00", "id": "UB:CVE-2017-2608", "href": "https://ubuntu.com/security/CVE-2017-2608", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T15:54:57", "description": "Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-05-15T20:29:00", "type": "cve", "title": "CVE-2017-2608", "cwe": ["CWE-502"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2608"], "modified": "2019-10-09T23:26:00", "cpe": ["cpe:/a:jenkins:jenkins:2.44"], "id": "CVE-2017-2608", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2608", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:jenkins:jenkins:2.44:*:*:*:*:*:*:*"]}], "hackerone": [{"lastseen": "2022-10-09T13:10:00", "bounty": 0.0, "description": "###Summary: \nThe target OwnCloud's server is running an outdated version of _Jenkins server_ which is vulnerable to various attacks.\n\nServer Location: `https://ci.owncloud.org`\n\nVulnerable Software: `Jenkins ver. 2.27`\n\n###Proof of Exploitability\n\nCVE-2016-3727\n**POC URL:** `https://ci.owncloud.org/computer/(master)/api/xml`\n\n>Details:\n\n> The API URL /computer/(master)/api/xml allowed users with the extended read permission for the master node to see some global Jenkins configuration, including the configuration of the security realm.\n\n> Source: https://jenkins.io/security/advisory/2016-05-11/\n\n\nAdditionally, the current software version is also vulnerable to RCE.\n>CVE-2017-2608\n\n>XStream remote code execution vulnerability\n\n>Affected Versions: < 2.43\n\n> Source: https://jenkins.io/security/advisory/2017-02-01/\n\n###Recommended Fix\nUpdate Jenkins server to latest version 2.47\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-02-24T08:22:00", "type": "hackerone", "title": "ownCloud: Outdated Jenkins server hosted at OwnCloud.org", "bulletinFamily": "bugbounty", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3727", "CVE-2017-2608"], "modified": "2017-03-30T08:26:41", "id": "H1:208566", "href": "https://hackerone.com/reports/208566", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2022-01-19T15:51:31", "description": "\n\nJenkins Security Advisory:\n\nPlease reference CVE/URL list for details\n\n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-02-01T00:00:00", "type": "freebsd", "title": "jenkins -- multiple vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-4969", "CVE-2015-0886", "CVE-2017-2598", "CVE-2017-2599", "CVE-2017-2600", "CVE-2017-2601", "CVE-2017-2602", "CVE-2017-2603", "CVE-2017-2604", "CVE-2017-2605", "CVE-2017-2606", "CVE-2017-2607", "CVE-2017-2608", "CVE-2017-2609", "CVE-2017-2610", "CVE-2017-2611", "CVE-2017-2612", "CVE-2017-2613"], "modified": "2017-02-01T00:00:00", "id": "5CFA9D0C-73D7-4642-AF4F-28FBED9E9404", "href": "https://vuxml.freebsd.org/freebsd/5cfa9d0c-73d7-4642-af4f-28fbed9e9404.html", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-08-19T12:38:11", "description": "Jenkins Security Advisory :\n\nPlease reference CVE/URL list for details", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-02-02T00:00:00", "type": "nessus", "title": "FreeBSD : jenkins -- multiple vulnerabilities (5cfa9d0c-73d7-4642-af4f-28fbed9e9404)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2011-4969", "CVE-2015-0886", "CVE-2017-2598", "CVE-2017-2599", "CVE-2017-2600", "CVE-2017-2601", "CVE-2017-2602", "CVE-2017-2603", "CVE-2017-2604", "CVE-2017-1000362", "CVE-2017-2606", "CVE-2017-2607", "CVE-2017-2608", "CVE-2017-2609", "CVE-2017-2610", "CVE-2017-2611", "CVE-2017-2612", "CVE-2017-2613"], "modified": "2021-04-12T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:jenkins", "p-cpe:/a:freebsd:freebsd:jenkins-lts", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_5CFA9D0C73D74642AF4F28FBED9E9404.NASL", "href": "https://www.tenable.com/plugins/nessus/96939", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2019 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(96939);\n script_version(\"3.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/04/12\");\n\n script_cve_id(\n \"CVE-2011-4969\",\n \"CVE-2015-0886\",\n \"CVE-2017-2598\",\n \"CVE-2017-2599\",\n \"CVE-2017-2600\",\n \"CVE-2017-2601\",\n \"CVE-2017-2602\",\n \"CVE-2017-2603\",\n \"CVE-2017-2604\",\n \"CVE-2017-1000362\",\n \"CVE-2017-2606\",\n \"CVE-2017-2607\",\n \"CVE-2017-2608\",\n \"CVE-2017-2609\",\n \"CVE-2017-2610\",\n \"CVE-2017-2611\",\n \"CVE-2017-2612\",\n \"CVE-2017-2613\"\n );\n\n script_name(english:\"FreeBSD : jenkins -- multiple vulnerabilities (5cfa9d0c-73d7-4642-af4f-28fbed9e9404)\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Jenkins Security Advisory :\n\nPlease reference CVE/URL list for details\"\n );\n # https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2017-02-01\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f48db5ed\"\n );\n # https://vuxml.freebsd.org/freebsd/5cfa9d0c-73d7-4642-af4f-28fbed9e9404.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?42cc67a2\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-2608\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:jenkins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:jenkins-lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/02/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/02/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/02/02\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\ninclude('freebsd_package.inc');\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"jenkins<2.44\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"jenkins-lts<2.32.2\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port:0,\n severity:SECURITY_WARNING, \n extra:pkg_report_get()\n );\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-04-12T15:59:02", "description": "The remote web server hosts a version of Jenkins that is prior to 2.44, or a version of Jenkins LTS prior to 2.32.2, or else a version of Jenkins Operations Center that is 1.625.x.y prior to 1.625.22.1, 2.7.x.0.y prior to 2.7.22.0.1, or 2.x.y.x prior to 2.32.2.1, or else a version of Jenkins Enterprise that is 1.651.x.y prior to 1.651.22.1, 2.7.x.0.y prior to 2.7.22.0.1, or 2.x.y.z prior to 2.32.2.1. It is, therefore, affected by the following vulnerabilities :\n\n - A DOM-based cross-site scripting (XSS) vulnerability exists in jQuery Core due to improper validation of certain tags while being rendered using innerHTML. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in the user's browser session. (CVE-2011-4969)\n\n - An integer overflow condition exists in jBCrypt in the key stretching implementation in gensalt, within the crypt_raw() function, which is triggered when the 'log_rounds' parameter is set to the maximum value (31).\n An unauthenticated, remote attacker can exploit this to cause log_rounds to perform zero rounds, allowing a brute-force attack to more easily determine the password hash. (CVE-2015-0886)\n\n - A cross-site request forgery vulnerability (XSRF) exists due to several URLs related to group and role management not requiring POST form submission. An unauthenticated, remote attacker can exploit this to create unused roles, delete unused roles, and set group descriptions. Note that only Jenkins Enterprise is affected by this issue.\n (CVE-2016-9887)\n\n - A flaw exists when sensitive data, such as passwords, is encrypted using AES-128 with electronic codebook mode (ECB). An authenticated, remote attacker can exploit this to disclose information about reused passwords.\n (CVE-2017-2598)\n\n - An unspecified flaw exists that is triggered when handling new items due to insufficient permission checks. An authenticated, remote attacker can exploit this, by using the name of an already existing item, to create a new item that overwrites the existing item or to gain access to related objects. (CVE-2017-2599)\n\n - An information disclosure vulnerability exists due to improper permissions being set for accessing node monitor data via the remote API. An authenticated, remote attacker can exploit this to disclose system configuration and runtime information. (CVE-2017-2600)\n\n - A stored cross-site scripting (XSS) vulnerability exists due to improper validation of input to names and descriptions fields before returning it to users. An authenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session. (CVE-2017-2601)\n\n - A flaw exists in the Agent-to-Master Security Subsystem because build metadata from the Pipeline suite is not properly blacklisted. An authenticated, remote attacker can exploit this to overwrite metadata files.\n (CVE-2017-2602)\n\n - A flaw exists in the config.xml API when handling user-initiated agent disconnects, which results in User objects being included in the agent API output. An authenticated, remote attacker can exploit this to disclose sensitive information (e.g., user API tokens).\n (CVE-2017-2603)\n\n - A flaw exists when handling permissions for administrative monitors that allows an authenticated, remote attacker to access certain provided actions.\n (CVE-2017-2604)\n\n - A flaw exists in the internal API, specifically within the Jenkins::getItems() function, when requesting a list of items via UnprotectedRootAction. An authenticated, remote attacker can exploit this to disclose information regarding otherwise restricted items. (CVE-2017-2606)\n\n - A stored cross-site scripting (XSS) vulnerability exists due to improper validation of input passed via serialized console notes before returning it to users in build logs. An authenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session. (CVE-2017-2607)\n\n - A flaw exists in the XStream-based API due to improper validation of user-supplied input before it is deserialized. An authenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary code. (CVE-2017-2608)\n\n - A flaw exists in the search box implementation due to the autocompletion feature displaying the names of restricted views. An authenticated, remote attacker can exploit this to disclose sensitive names of views.\n (CVE-2017-2609)\n\n - A stored cross-site scripting (XSS) vulnerability exists due to improper validation of input passed in user names before returning it to users. An authenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session. (CVE-2017-2610)\n\n - A flaw exists due to improper validation of permissions to the /workspaceCleanup and /fingerprintCleanup URLs.\n An authenticated, remote attacker can exploit this to cause a high load on the master and agents.\n (CVE-2017-2611)\n\n - A flaw exists due to a failure to properly restrict access to JDK download credentials. An authenticated, remote attacker can exploit this to overwrite the credentials, thereby causing builds to fail.\n (CVE-2017-2612)\n\n - A cross-site request forgery (XSRF) vulnerability exists due to a failure by HTTP GET requests to /user to require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions.\n An unauthenticated, remote attacker can exploit this, by convincing a user to follow a specially crafted link, to cause the creation of new temporary users.\n (CVE-2017-2613)\n\n - An information disclosure vulnerability which exists in its re-key admin monitor component due to world readable permissions being set on the directory it creates to store secret information. An unauthenticated, remote attacker can exploit this to disclose information contained in this directory.\n (CVE-2017-1000362)", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-03-08T00:00:00", "type": "nessus", "title": "Jenkins < 2.44 / 2.32.x < 2.32.2, Jenkins Operations Center < 1.625.22.1 / 2.7.22.0.1 / 2.32.2.1, and Jenkins Enterprise < 1.651.22.1 / 2.7.22.0.1 / 2.32.2.1 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2011-4969", "CVE-2015-0886", "CVE-2016-9887", "CVE-2017-1000362", "CVE-2017-2598", "CVE-2017-2599", "CVE-2017-2600", "CVE-2017-2601", "CVE-2017-2602", "CVE-2017-2603", "CVE-2017-2604", "CVE-2017-2606", "CVE-2017-2607", "CVE-2017-2608", "CVE-2017-2609", "CVE-2017-2610", "CVE-2017-2611", "CVE-2017-2612", "CVE-2017-2613"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:cloudbees:jenkins", "cpe:/a:jenkins:jenkins"], "id": "JENKINS_SECURITY_ADVISORY_2017-02-01.NASL", "href": "https://www.tenable.com/plugins/nessus/97609", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97609);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\n \"CVE-2011-4969\",\n \"CVE-2015-0886\",\n \"CVE-2016-9887\",\n \"CVE-2017-2598\",\n \"CVE-2017-2599\",\n \"CVE-2017-2600\",\n \"CVE-2017-2601\",\n \"CVE-2017-2602\",\n \"CVE-2017-2603\",\n \"CVE-2017-2604\",\n \"CVE-2017-2606\",\n \"CVE-2017-2607\",\n \"CVE-2017-2608\",\n \"CVE-2017-2609\",\n \"CVE-2017-2610\",\n \"CVE-2017-2611\",\n \"CVE-2017-2612\",\n \"CVE-2017-2613\",\n \"CVE-2017-1000362\"\n );\n script_bugtraq_id(\n 58458,\n 95948,\n 95949,\n 95951,\n 95952,\n 95953,\n 95954,\n 95955,\n 95956,\n 95957,\n 95959,\n 95960,\n 95961,\n 95962,\n 95963,\n 95964,\n 95967\n );\n\n script_name(english:\"Jenkins < 2.44 / 2.32.x < 2.32.2, Jenkins Operations Center < 1.625.22.1 / 2.7.22.0.1 / 2.32.2.1, and Jenkins Enterprise < 1.651.22.1 / 2.7.22.0.1 / 2.32.2.1 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server hosts a job scheduling and management system\nthat is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote web server hosts a version of Jenkins that is prior to\n2.44, or a version of Jenkins LTS prior to 2.32.2, or else a version\nof Jenkins Operations Center that is 1.625.x.y prior to 1.625.22.1,\n2.7.x.0.y prior to 2.7.22.0.1, or 2.x.y.x prior to 2.32.2.1, or else a\nversion of Jenkins Enterprise that is 1.651.x.y prior to 1.651.22.1,\n2.7.x.0.y prior to 2.7.22.0.1, or 2.x.y.z prior to 2.32.2.1. It is,\ntherefore, affected by the following vulnerabilities :\n\n - A DOM-based cross-site scripting (XSS) vulnerability\n exists in jQuery Core due to improper validation of\n certain tags while being rendered using innerHTML. An\n unauthenticated, remote attacker can exploit this, via\n a specially crafted request, to execute arbitrary script\n code in the user's browser session. (CVE-2011-4969)\n\n - An integer overflow condition exists in jBCrypt in the\n key stretching implementation in gensalt, within the\n crypt_raw() function, which is triggered when the\n 'log_rounds' parameter is set to the maximum value (31).\n An unauthenticated, remote attacker can exploit this to\n cause log_rounds to perform zero rounds, allowing a\n brute-force attack to more easily determine the password\n hash. (CVE-2015-0886)\n\n - A cross-site request forgery vulnerability (XSRF) exists\n due to several URLs related to group and role management\n not requiring POST form submission. An unauthenticated,\n remote attacker can exploit this to create unused roles,\n delete unused roles, and set group descriptions. Note\n that only Jenkins Enterprise is affected by this issue.\n (CVE-2016-9887)\n\n - A flaw exists when sensitive data, such as passwords, is\n encrypted using AES-128 with electronic codebook mode\n (ECB). An authenticated, remote attacker can exploit\n this to disclose information about reused passwords.\n (CVE-2017-2598)\n\n - An unspecified flaw exists that is triggered when\n handling new items due to insufficient permission\n checks. An authenticated, remote attacker can exploit\n this, by using the name of an already existing item, to\n create a new item that overwrites the existing item or\n to gain access to related objects. (CVE-2017-2599)\n\n - An information disclosure vulnerability exists due to\n improper permissions being set for accessing node\n monitor data via the remote API. An authenticated,\n remote attacker can exploit this to disclose system\n configuration and runtime information. (CVE-2017-2600)\n\n - A stored cross-site scripting (XSS) vulnerability exists\n due to improper validation of input to names and\n descriptions fields before returning it to users. An\n authenticated, remote attacker can exploit this, via a\n specially crafted request, to execute arbitrary script\n code in a user's browser session. (CVE-2017-2601)\n\n - A flaw exists in the Agent-to-Master Security Subsystem\n because build metadata from the Pipeline suite is not\n properly blacklisted. An authenticated, remote attacker\n can exploit this to overwrite metadata files.\n (CVE-2017-2602)\n\n - A flaw exists in the config.xml API when handling\n user-initiated agent disconnects, which results in User\n objects being included in the agent API output. An\n authenticated, remote attacker can exploit this to\n disclose sensitive information (e.g., user API tokens).\n (CVE-2017-2603)\n\n - A flaw exists when handling permissions for\n administrative monitors that allows an authenticated,\n remote attacker to access certain provided actions.\n (CVE-2017-2604)\n\n - A flaw exists in the internal API, specifically within\n the Jenkins::getItems() function, when requesting a list\n of items via UnprotectedRootAction. An authenticated,\n remote attacker can exploit this to disclose information\n regarding otherwise restricted items. (CVE-2017-2606)\n\n - A stored cross-site scripting (XSS) vulnerability exists\n due to improper validation of input passed via\n serialized console notes before returning it to users in\n build logs. An authenticated, remote attacker can\n exploit this, via a specially crafted request, to\n execute arbitrary script code in a user's browser\n session. (CVE-2017-2607)\n\n - A flaw exists in the XStream-based API due to improper\n validation of user-supplied input before it is\n deserialized. An authenticated, remote attacker can\n exploit this, via a specially crafted request, to\n execute arbitrary code. (CVE-2017-2608)\n\n - A flaw exists in the search box implementation due to\n the autocompletion feature displaying the names of\n restricted views. An authenticated, remote attacker can\n exploit this to disclose sensitive names of views.\n (CVE-2017-2609)\n\n - A stored cross-site scripting (XSS) vulnerability exists\n due to improper validation of input passed in user names\n before returning it to users. An authenticated, remote\n attacker can exploit this, via a specially crafted\n request, to execute arbitrary script code in a user's\n browser session. (CVE-2017-2610)\n\n - A flaw exists due to improper validation of permissions\n to the /workspaceCleanup and /fingerprintCleanup URLs.\n An authenticated, remote attacker can exploit this to\n cause a high load on the master and agents.\n (CVE-2017-2611)\n\n - A flaw exists due to a failure to properly restrict\n access to JDK download credentials. An authenticated,\n remote attacker can exploit this to overwrite the\n credentials, thereby causing builds to fail.\n (CVE-2017-2612)\n\n - A cross-site request forgery (XSRF) vulnerability exists\n due to a failure by HTTP GET requests to /user to\n require multiple steps, explicit confirmation, or a\n unique token when performing certain sensitive actions.\n An unauthenticated, remote attacker can exploit this, by\n convincing a user to follow a specially crafted link, to\n cause the creation of new temporary users.\n (CVE-2017-2613)\n\n - An information disclosure vulnerability which exists in \n its re-key admin monitor component due to world readable \n permissions being set on the directory it creates to \n store secret information. An unauthenticated, remote \n attacker can exploit this to disclose information \n contained in this directory.\n (CVE-2017-1000362)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://jenkins.io/security/advisory/2017-02-01/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.cloudbees.com/cloudbees-security-advisory-2017-02-01\");\n script_set_attribute(attribute:\"see_also\", value:\"https://jenkins.io/changelog/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://jenkins.io/changelog-stable/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade Jenkins to version 2.44 or later, Jenkins LTS to version\n2.32.2 or later, or Jenkins Operations Center to version 1.625.22.1 /\n2.7.22.0.1 / 2.32.2.1 or later, or Jenkins Enterprise to version\n1.651.22.1 / 2.7.22.0.1 / 2.32.2.1 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-2608\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/07/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/02/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cloudbees:jenkins\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:jenkins:jenkins\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"jenkins_detect.nasl\", \"jenkins_win_installed.nbin\", \"jenkins_nix_installed.nbin\", \"macosx_jenkins_installed.nbin\");\n script_require_keys(\"installed_sw/Jenkins\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar app_info = vcf::combined_get_app_info(app:'Jenkins');\n\nvar constraints = [\n { 'fixed_version' : '2.44', 'edition':'Open Source' },\n { 'fixed_version' : '2.32.2', 'edition':'Open Source LTS' },\n { 'min_version' : '1', 'fixed_version' : '1.651.22.1', 'edition':'Enterprise' },\n { 'min_version' : '1', 'fixed_version' : '1.625.22.1', 'edition':'Operations Center' },\n { 'min_version' : '2.7', 'fixed_version' : '2.7.22.0.1', 'edition':make_list('Enterprise', 'Operations Center') },\n { 'min_version' : '2', 'fixed_version' : '2.32.2.1', 'edition':make_list('Enterprise', 'Operations Center'), 'rolling_train' : TRUE}\n];\n\nvcf::jenkins::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_WARNING,\n flags:{xss:TRUE, xsrf:TRUE}\n);\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-10-18T15:17:22", "description": "This host is installed with Jenkins and is prone to\n multiple vulnerabilities.", "cvss3": {}, "published": "2017-03-13T00:00:00", "type": "openvas", "title": "Jenkins Multiple Vulnerabilities - Feb17 (Windows)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-2598", "CVE-2011-4969", "CVE-2017-2605", "CVE-2017-2613", "CVE-2017-1000362", "CVE-2017-2608", "CVE-2017-2607", "CVE-2017-2611", "CVE-2015-0886", "CVE-2017-2603", "CVE-2017-2612", "CVE-2017-2602", "CVE-2017-2601", "CVE-2017-2610", "CVE-2017-2606", "CVE-2017-2599", "CVE-2017-2609", "CVE-2017-2604", "CVE-2017-2600"], "modified": "2019-10-17T00:00:00", "id": "OPENVAS:1361412562310108096", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108096", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Jenkins Multiple Vulnerabilities - Feb17 (Windows)\n#\n# Authors:\n# Christian Fischer <christian.fischer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:jenkins:jenkins\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108096\");\n script_version(\"2019-10-17T11:27:19+0000\");\n script_cve_id(\"CVE-2011-4969\", \"CVE-2015-0886\", \"CVE-2017-2598\", \"CVE-2017-2599\",\n \"CVE-2017-2600\", \"CVE-2017-2601\", \"CVE-2017-2602\", \"CVE-2017-2603\",\n \"CVE-2017-2604\", \"CVE-2017-2605\", \"CVE-2017-2606\", \"CVE-2017-2607\",\n \"CVE-2017-2608\", \"CVE-2017-2609\", \"CVE-2017-2610\", \"CVE-2017-2611\",\n \"CVE-2017-2612\", \"CVE-2017-2613\", \"CVE-2017-1000362\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-10-17 11:27:19 +0000 (Thu, 17 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-03-13 11:00:00 +0100 (Mon, 13 Mar 2017)\");\n\n script_name(\"Jenkins Multiple Vulnerabilities - Feb17 (Windows)\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_jenkins_consolidation.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"jenkins/detected\", \"Host/runs_windows\");\n\n script_xref(name:\"URL\", value:\"https://jenkins.io/security/advisory/2017-02-01/\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Jenkins and is prone to\n multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - cross-site scripting vulnerabilities\n\n - the usage ouf outdated libraries\n\n - insufficient access permission verifications / checks\n\n - a remote code execution vulnerability\n\n - a information disclosure vulnerability\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to obtain sensitive information,\n to bypass intended access restrictions and execute arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"Jenkins LTS 2.32.1 and prior, Jenkins main line 2.43 and prior.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Jenkins main line to 2.44 or later / Jenkins LTS to 2.32.2 or\n later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) )\n exit(0);\n\nif( ! infos = get_app_full( cpe:CPE, port:port ) )\n exit(0);\n\nif( ! version = infos[\"version\"])\n exit(0);\n\nlocation = infos[\"location\"];\nproto = infos[\"proto\"];\n\nif( get_kb_item( \"jenkins/\" + port + \"/is_lts\" ) ) {\n if( version_is_less( version:version, test_version:\"2.32.2\" ) ) {\n vuln = TRUE;\n fix = \"2.32.2\";\n }\n} else {\n if( version_is_less( version:version, test_version:\"2.44\" ) ) {\n vuln = TRUE;\n fix = \"2.44\";\n }\n}\n\nif( vuln ) {\n report = report_fixed_ver( installed_version:version, fixed_version:fix, install_path:location );\n security_message( port:port, data:report, proto:proto );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2019-10-18T15:18:42", "description": "This host is installed with Jenkins and is prone to\n multiple vulnerabilities.", "cvss3": {}, "published": "2017-03-13T00:00:00", "type": "openvas", "title": "Jenkins Multiple Vulnerabilities - Feb17 (Linux)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-2598", "CVE-2011-4969", "CVE-2017-2605", "CVE-2017-2613", "CVE-2017-1000362", "CVE-2017-2608", "CVE-2017-2607", "CVE-2017-2611", "CVE-2015-0886", "CVE-2017-2603", "CVE-2017-2612", "CVE-2017-2602", "CVE-2017-2601", "CVE-2017-2610", "CVE-2017-2606", "CVE-2017-2599", "CVE-2017-2609", "CVE-2017-2604", "CVE-2017-2600"], "modified": "2019-10-17T00:00:00", "id": "OPENVAS:1361412562310108095", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108095", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Jenkins Multiple Vulnerabilities - Feb17 (Linux)\n#\n# Authors:\n# Christian Fischer <christian.fischer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:jenkins:jenkins\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108095\");\n script_version(\"2019-10-17T11:27:19+0000\");\n script_cve_id(\"CVE-2011-4969\", \"CVE-2015-0886\", \"CVE-2017-2598\", \"CVE-2017-2599\",\n \"CVE-2017-2600\", \"CVE-2017-2601\", \"CVE-2017-2602\", \"CVE-2017-2603\",\n \"CVE-2017-2604\", \"CVE-2017-2605\", \"CVE-2017-2606\", \"CVE-2017-2607\",\n \"CVE-2017-2608\", \"CVE-2017-2609\", \"CVE-2017-2610\", \"CVE-2017-2611\",\n \"CVE-2017-2612\", \"CVE-2017-2613\", \"CVE-2017-1000362\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-10-17 11:27:19 +0000 (Thu, 17 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-03-13 11:00:00 +0100 (Mon, 13 Mar 2017)\");\n\n script_name(\"Jenkins Multiple Vulnerabilities - Feb17 (Linux)\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_jenkins_consolidation.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"jenkins/detected\", \"Host/runs_unixoide\");\n\n script_xref(name:\"URL\", value:\"https://jenkins.io/security/advisory/2017-02-01/\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Jenkins and is prone to\n multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - cross-site scripting vulnerabilities\n\n - the usage ouf outdated libraries\n\n - insufficient access permission verifications / checks\n\n - a remote code execution vulnerability\n\n - a information disclosure vulnerability\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to obtain sensitive information,\n to bypass intended access restrictions and execute arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"Jenkins LTS 2.32.1 and prior, Jenkins main line 2.43 and prior.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Jenkins main line to 2.44 or later / Jenkins LTS to 2.32.2 or\n later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) )\n exit(0);\n\nif( ! infos = get_app_full( cpe:CPE, port:port ) )\n exit(0);\n\nif( ! version = infos[\"version\"])\n exit(0);\n\nlocation = infos[\"location\"];\nproto = infos[\"proto\"];\n\nif( get_kb_item( \"jenkins/\" + port + \"/is_lts\" ) ) {\n if( version_is_less( version:version, test_version:\"2.32.2\" ) ) {\n vuln = TRUE;\n fix = \"2.32.2\";\n }\n} else {\n if( version_is_less( version:version, test_version:\"2.44\" ) ) {\n vuln = TRUE;\n fix = \"2.44\";\n }\n}\n\nif( vuln ) {\n report = report_fixed_ver( installed_version:version, fixed_version:fix, install_path:location );\n security_message( port:port, data:report, proto:proto );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "impervablog": [{"lastseen": "2018-01-25T09:59:26", "description": "Imperva\u2019s research group is constantly monitoring new web application vulnerabilities. In doing so, we\u2019ve noticed at least four major insecure deserialization vulnerabilities that were published in the past year.\n\nOur analysis shows that, in the past three months, the number of deserialization attacks has grown by 300 percent on average, turning them into a serious security risk to web applications.\n\nTo make things worse, many of these attacks are now launched with the intent of installing crypto-mining malware on vulnerable web servers, which gridlocks their CPU usage.\n\nIn this blog post we will explain what insecure deserialization vulnerabilities are, show the growing trend of attacks exploiting these vulnerabilities and explain what attackers do to exploit them (including real-life attack examples).\n\n## What Is Serialization?\n\nThe process of serialization converts a \u201clive\u201d object (structure and/or state), like a Java object, into a format that can be sent over the network, or stored in memory or on disk. Deserialization converts the format back into a \u201clive\u201d object.\n\nThe purpose of serialization is to preserve an object, meaning that the object will exist outside the lifetime of the local machine on which it is created.\n\nFor example, when withdrawing money from an ATM, the information of the account holder and the required operation is stored in a local object. Before this object is sent to the main server, it is serialized in order to perform and approve the needed operations. The server then deserializes the object to complete the operation.\n\n## Types of Serialization\n\nThere are many types of [serialization](<https://en.wikipedia.org/wiki/Serialization#Serialization_formats>) available, depending on the object which is being serialized and on the purpose. Almost all modern programming languages support serialization. In Java for example an object is converted into a compact representation using byte stream, and the byte stream can then be reverted back into a copy of that object.\n\nOther types of serialization include converting an object into a hierarchical format like JSON or XML. The advantage of this serialization is that the serialized objects can be read as plain text, instead of a byte stream.\n\n## Deserialization Vulnerabilities from the Past Three Months\n\nIn the [OWASP top 10 security risks of 2017](<https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf>) insecure deserialization came in at [eighth place](<https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization>) and rightfully so as we argued in our [previous blog](<https://www.imperva.com/blog/2017/12/the-state-of-web-application-vulnerabilities-in-2017/>) about the state of web application vulnerabilities in 2017.\n\nIn 2017, major new vulnerabilities related to insecure serialization, mostly in Java, were published (see Figure 1).\n\n**Name** | **Release Date (Day/Month/Year)** | **Vulnerability details** \n---|---|--- \nCVE-2017-12149 | 01/08/2017 | Vulnerability in the JBoss Application Server allows execution of arbitrary code via crafted serialized data because the HTTP Invoker does not restrict classes for which it performs deserialization \nCVE-2017-10271 | 21/06/2017 | Vulnerability in the Oracle WebLogic Server allows execution of arbitrary code due to insufficient sanitizing of user supplied inputs in the wls-wsat component \nCVE-2017-9805\n\n | 21/06/2017 | The REST Plugin in Apache Struts uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to remote code execution when deserializing XML payloads. \nCVE-2017-7504 | 05/04/2017 | The HTTPServerILServlet.java in JMS allows remote attackers to execute arbitrary code via crafted serialized data because it does not restrict the classes for which it performs deserialization \n \n_Figure 1: CVEs related to insecure deserialization_\n\nIn order to understand the magnitude of these vulnerabilities, we analyzed attacks from the past three months (October to December of 2017) that try to exploit insecure deserialization. A key observation is the _steep_ increase of deserialization attacks in the past few months, as can be seen in the Figure 2.\n\n \n_Figure 2: Insecure deserialization attacks over the course of three months_\n\nMost of the attackers used no attack vectors other than insecure deserialization. We noticed that each attacker was trying to exploit different vulnerabilities, with the above-mentioned CVEs being the most prevalent.\n\nFor a full list of CVEs related to insecure deserialization from the past few years see Figure 3.\n\n**Name** | **Relevant System** | **Public Exploit** | **Name** | **Relevant System** | **Public Exploit** \n---|---|---|---|---|--- \nCVE-2017-9844 | SAP NetWeaver | Yes | CVE-2016-2170 | Apache OFBiz | No \nCVE-2017-9830 | Code42 CrashPlan | No | CVE-2016-2003 | HP P9000, XP7 Command View Advanced Edition (CVAE) Suite | No \nCVE-2017-9805 | Apache Struts | Yes | CVE-2016-2000 | HP Asset Manager | No \nCVE-2017-7504 | Red Hat JBoss | Yes | CVE-2016-1999 | HP Release Control | No \nCVE-2017-5878 | Apache OpenMeetings | Yes | CVE-2016-1998 | HP Service Manager | No \nCVE-2017-5645 | Apache Log4j | No | CVE-2016-1997 | HP Operations Orchestration | No \nCVE-2017-5641 | Apache BlazeDS | Yes | CVE-2016-1986 | HP Continuous Delivery Automation | No \nCVE-2017-5586 | OpenText Documentum D2 | Yes | CVE-2016-1985 | HP Operations Manager | No \nCVE-2017-3159 | Apache Camel | Yes | CVE-2016-1487 | Lexmark Markvision Enterprise | No \nCVE-2017-3066 | Adobe ColdFusion | Yes | CVE-2016-1291 | Cisco Prime Infrastructure | Yes \nCVE-2017-2608 | Jenkins | Yes | CVE-2016-0958 | Adobe Experience Manager | No \nCVE-2017-12149 | Red Hat JBoss | Yes | CVE-2016-0788 | Jenkins | Yes \nCVE-2017-11284 | Adobe ColdFusion | No | CVE-2016-0779 | Apache TomEE | No \nCVE-2017-11283 | Adobe ColdFusion | No | CVE-2016-0714 | Apache Tomcat | No \nCVE-2017-1000353 | CloudBees Jenkins | Yes | CVE-2015-8765 | McAfee ePolicy Orchestrator | No \nCVE-2016-9606 | Resteasy | Yes | CVE-2015-8581 | Apache TomEE | No \nCVE-2016-9299 | Jenkins | Yes | CVE-2015-8545 | NetApp | No \nCVE-2016-8749 | Jackson (JSON) | Yes | CVE-2015-8360 | Atlassian Bamboo | No \nCVE-2016-8744 | Apache Brooklyn | Yes | CVE-2015-8238 | Unify OpenScape | No \nCVE-2016-8735 | Apache Tomcat JMX | Yes | CVE-2015-8237 | Unify OpenScape | No \nCVE-2016-7462 | VMWare vRealize Operations | No | CVE-2015-8103 | Jenkins | Yes \nCVE-2016-6809 | Apache Tika | No | CVE-2015-7501 | Red Hat JBoss | Yes \nCVE-2016-5229 | Atlassian Bamboo | Yes | CVE-2015-7501 | Oracle Application Testing Suite | No \nCVE-2016-5004 | Apache Archiva | Yes | CVE-2015-7450 | IBM Websphere | Yes \nCVE-2016-4385 | HP Network Automation | No | CVE-2015-7253 | Commvault Edge Server | Yes \nCVE-2016-4372 | HP iMC | No | CVE-2015-6934 | VMWare vCenter/vRealize | No \nCVE-2016-3642 | Solarwinds Virtualization Manager | Yes | CVE-2015-6576 | Atlassian Bamboo | No \nCVE-2016-3461 | Oracle MySQL Enterprise Monitor | Yes | CVE-2015-6555 | Symantec Endpoint Protection Manager | Yes \nCVE-2016-3427 | JMX | Yes | CVE-2015-6420 | Cisco (various frameworks) | No \nCVE-2016-3415 | Zimbra Collaboration | No | CVE-2015-5348 | Apache Camel | No \nCVE-2016-2510 | Red Hat JBoss BPM Suite | No | CVE-2015-5254 | Apache ActiveMQ | No \nCVE-2016-2173 | Spring AMPQ | No | CVE-2015-4852 | Oracle WebLogic | Yes \nCVE-2016-2170 | Apache OFBiz | No | CVE-2015-3253 | Jenkins | Yes \nCVE-2016-2003 | HP P9000, XP7 Command View Advanced Edition (CVAE) Suite | No | CVE-2012-4858 | IBM Congnos BI | No \n \n_Figure 3: CVEs related to insecure deserialization_\n\n## Deserialization Attacks in the Wild\n\nMost of the attacks that we saw are related to byte-stream serialization of Java objects. Also, we saw some attacks related to serialization to XML and other formats, see Figure 4.\n\n \n_Figure 4: Distribution of vulnerabilities over different serialization formats_\n\nIn the following attack (see Figure 5) the attacker is trying to exploit CVE-2017-10271. The payload is sent in the HTTP request\u2019s body using a serialized Java object through XML representation.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-containing-serialized-java-array-into-XML-fig-5.png>)\n\n_Figure 5: Attack vector containing a serialized java array into an XML_\n\nThe fact that this is a Java array can be seen by the hierarchical structure of the parameters, with the suffix of **\u201cjava/void/array/void/string\u201d**. The attacker is trying to run a bash script on the attacked server.\n\nThis bash script tries to send an HTTP request using \u201cwget\u201d OS command, download a shell script disguised as a picture file (note the jpg file extension) and run it. Few interesting notes can be made examining this command:\n\n * The existence of shell and \u201cwget\u201d commands indicate that this payload is targeting Linux systems\n * Using a picture file extension is usually done to evade security controls\n * The **\u201c-q\u201d** parameter to \u201cwget\u201d stands for \u201cquiet\u201d, this means that \u201cwget\u201d will have no output to the console, hence it will be harder to note that such a request was even made. Once the downloaded script runs the server is infected with a crypto mining malware trying to mine Monero digital coins (a crypto currency similar to Bitcoin).\n\nThe next script (see Figure 6) tries to exploit the same vulnerability, but this time the payload is targeting Windows servers using cmd.exe and Powershell commands to download the malware and run it.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-infect-Windows-server-with-crypto-mining-malware-fig-6.png>)\n\n_Figure 6: Attack vector trying to infect Windows server with crypto mining malware_\n\nThis indicates that there are two different infection methods for Windows and Linux server, each system with its designated script.\n\nAnother example is the following payload (Figure 7) that we pulled from an attack trying to exploit a [deserialization vulnerability](<http://seclists.org/oss-sec/2016/q1/461>) with a Java serialized object.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-containing-java-serialized-object.jpg>)\n\n_Figure 7: Attack vector containing a Java serialized object trying to download a crypto miner_\n\nThe \u201cbad\u201d encoding is an artifact of Java serialization, where the object is represented in the byte stream.\n\nStill, we can see a script in plain text marked in yellow. Shown as an image below is a variable that defines an internal field separator, where in this case it is just a variable for space. The variable is probably used instead of a space to try to make the payload harder to detect.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/01/insert-into-paragraph.jpg>)\n\nJust as in the previous examples, this Bash script targets Linux servers that send an HTTP request using \u201cwget\u201d to download a crypto miner.\n\n## Beyond Insecure Deserialization\n\nThe common denominator of the attacks above is that attackers are trying to infect the server with a crypto mining malware by using an insecure deserialization vulnerability. However insecure deserialization is not the only method to achieve this goal.\n\nBelow (Figure 8) we see an example of another attack payload, this time at the \u201cContent-Type\u201d header.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-using-RCE-vulnerability-of-Apache-Struts-fig-8.jpg>)\n\n_Figure 8: Attack vector using an RCE vulnerability of Apache Struts_\n\nThis attack tries to exploit **CVE-2017-5638**, a well-known RCE vulnerability related to Apache Struts which was published in March 2017 and was covered in a [previous blog post](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>).\n\nWhen it was originally published we saw no indications of crypto miners in the attacks\u2019 payloads related to this CVE, and most of the payloads were reconnaissance attacks.\n\nHowever, in this attack the payload (marked in yellow above) is very similar to the payload from the previous example. Using the same remote server and the exact same script, it infected the server with crypto mining malware.\n\nThis old attack method with a new payload suggests a new trend in the cyber arena \u2013 attackers try to exploit RCE vulnerabilities, new and old, to turn vulnerable servers into crypto miners and get a faster ROI for their \u201ceffort\u201d.\n\n## Recommendations\n\nGiven the many new vulnerabilities related to insecure deserialization that were discovered this year, and its appearance in the OWASP top 10 security risks, we expect to see newer related vulnerabilities released in 2018. In the meantime, organizations using affected servers are advised to use the latest patch to mitigate these vulnerabilities.\n\nAn alternative to manual patching is virtual patching. Virtual patching actively protects web applications from attacks, reducing the window of exposure and decreasing the cost of emergency patches and fix cycles.\n\nA WAF that provides virtual patching doesn\u2019t interfere with the normal application workflow, and keeps the site protected while allowing the site owners to control the patching process timeline.\n\nLearn more about how to protect your web applications from vulnerabilities with [Imperva WAF solutions](<https://www.imperva.com/products/application-security/web-application-firewall-waf/>).", "edition": 2, "cvss3": {}, "published": "2018-01-24T17:45:08", "type": "impervablog", "title": "Deserialization Attacks Surge Motivated by Illegal Crypto-mining", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-4858", "CVE-2015-3253", "CVE-2015-4852", "CVE-2015-5254", "CVE-2015-5348", "CVE-2015-6420", "CVE-2015-6555", "CVE-2015-6576", "CVE-2015-6934", "CVE-2015-7253", "CVE-2015-7450", "CVE-2015-7501", "CVE-2015-8103", "CVE-2015-8237", "CVE-2015-8238", "CVE-2015-8360", "CVE-2015-8545", "CVE-2015-8581", "CVE-2015-8765", "CVE-2016-0714", "CVE-2016-0779", "CVE-2016-0788", "CVE-2016-0958", "CVE-2016-1291", "CVE-2016-1487", "CVE-2016-1985", "CVE-2016-1986", "CVE-2016-1997", "CVE-2016-1998", "CVE-2016-1999", "CVE-2016-2000", "CVE-2016-2003", "CVE-2016-2170", "CVE-2016-2173", "CVE-2016-2510", "CVE-2016-3415", "CVE-2016-3427", "CVE-2016-3461", "CVE-2016-3642", "CVE-2016-4372", "CVE-2016-4385", "CVE-2016-5004", "CVE-2016-5229", "CVE-2016-6809", "CVE-2016-7462", "CVE-2016-8735", "CVE-2016-8744", "CVE-2016-8749", "CVE-2016-9299", "CVE-2016-9606", "CVE-2017-1000353", "CVE-2017-10271", "CVE-2017-11283", "CVE-2017-11284", "CVE-2017-12149", "CVE-2017-2608", "CVE-2017-3066", "CVE-2017-3159", "CVE-2017-5586", "CVE-2017-5638", "CVE-2017-5641", "CVE-2017-5645", "CVE-2017-5878", "CVE-2017-7504", "CVE-2017-9805", "CVE-2017-9830", "CVE-2017-9844"], "modified": "2018-01-24T17:45:08", "id": "IMPERVABLOG:4F187FDBA230373382F26BA12E00F8E7", "href": "https://www.imperva.com/blog/2018/01/deserialization-attacks-surge-motivated-by-illegal-crypto-mining/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
Deserialization of Untrusted Data in Jenkins
