ghsa-34wx-x2w9-vqm3
Vulnerability from github
Published
2022-02-10 00:00
Modified
2023-12-22 13:51
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
DoS vulnerability in bundled XStream library in Jenkins Core
Details

Jenkins 2.333 and earlier, LTS 2.319.2 and earlier is affected by the XStream library’s vulnerability CVE-2021-43859. This library is used by Jenkins to serialize and deserialize various XML files, like global and job config.xml, build.xml, and numerous others.

This allows attackers able to submit crafted XML files to Jenkins to be parsed as configuration, e.g. through the POST config.xml API, to cause a denial of service (DoS).

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.main:jenkins-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.320"
            },
            {
              "fixed": "2.334"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.main:jenkins-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.319.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-0538"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-20T22:50:31Z",
    "nvd_published_at": "2022-02-09T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins 2.333 and earlier, LTS 2.319.2 and earlier is affected by the XStream library\u2019s vulnerability [CVE-2021-43859](https://x-stream.github.io/CVE-2021-43859.html). This library is used by Jenkins to serialize and deserialize various XML files, like global and job `config.xml`, `build.xml`, and numerous others.\n\nThis allows attackers able to submit crafted XML files to Jenkins to be parsed as configuration, e.g. through the `POST config.xml` API, to cause a denial of service (DoS).",
  "id": "GHSA-34wx-x2w9-vqm3",
  "modified": "2023-12-22T13:51:07Z",
  "published": "2022-02-10T00:00:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0538"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/jenkins/commit/8276aef4cc3dd81810fe6bdf6fa48141632c4636"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2022-02-09/#SECURITY-2602"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/02/09/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "DoS vulnerability in bundled XStream library in Jenkins Core"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.