ghsa-34wx-x2w9-vqm3
Vulnerability from github
Published
2022-02-10 00:00
Modified
2023-12-22 13:51
Severity ?
Summary
DoS vulnerability in bundled XStream library in Jenkins Core
Details
Jenkins 2.333 and earlier, LTS 2.319.2 and earlier is affected by the XStream library’s vulnerability CVE-2021-43859. This library is used by Jenkins to serialize and deserialize various XML files, like global and job config.xml
, build.xml
, and numerous others.
This allows attackers able to submit crafted XML files to Jenkins to be parsed as configuration, e.g. through the POST config.xml
API, to cause a denial of service (DoS).
{ "affected": [ { "package": { "ecosystem": "Maven", "name": "org.jenkins-ci.main:jenkins-core" }, "ranges": [ { "events": [ { "introduced": "2.320" }, { "fixed": "2.334" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.jenkins-ci.main:jenkins-core" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "2.319.3" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2022-0538" ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2022-06-20T22:50:31Z", "nvd_published_at": "2022-02-09T14:15:00Z", "severity": "MODERATE" }, "details": "Jenkins 2.333 and earlier, LTS 2.319.2 and earlier is affected by the XStream library\u2019s vulnerability [CVE-2021-43859](https://x-stream.github.io/CVE-2021-43859.html). This library is used by Jenkins to serialize and deserialize various XML files, like global and job `config.xml`, `build.xml`, and numerous others.\n\nThis allows attackers able to submit crafted XML files to Jenkins to be parsed as configuration, e.g. through the `POST config.xml` API, to cause a denial of service (DoS).", "id": "GHSA-34wx-x2w9-vqm3", "modified": "2023-12-22T13:51:07Z", "published": "2022-02-10T00:00:30Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0538" }, { "type": "WEB", "url": "https://github.com/jenkinsci/jenkins/commit/8276aef4cc3dd81810fe6bdf6fa48141632c4636" }, { "type": "WEB", "url": "https://www.jenkins.io/security/advisory/2022-02-09/#SECURITY-2602" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2022/02/09/1" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "type": "CVSS_V3" } ], "summary": "DoS vulnerability in bundled XStream library in Jenkins Core" }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.