| Name | jenkins_xstream_rce |
| CVE | CVE-2017-2068 |
| Exploit Pack | CANVAS |
| Description | jenkins_xstream_rce |
| Notes | CVE Name: CVE-2017-2068 VENDOR: Jenkins NOTES: XStream-based APIs in Jenkins CI previous to version 2.44 are vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio package Authentication is required to reach the vulnerable endpoints, however a normal user (non-admin) can reach these endpoints when the Role Strategy plugin is not installed (which is not by default). Tested versions: > Ubuntu Linux 16.04 LTS - 64bit - Jenkins 2.43 on Tomcat 8.0.30 with Java SE 8 / 7 - Jenkins 1.634, 2.0 & 2.43 on Tomcat 8.5.16 with Java SE 8 / 7 > Ubuntu Linux 14.04 - 32bit - Jenkins 1.598 with Sun JRE v1.7.0_21 Repeatability: Infinite References: ['https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2017-02-01', 'https://github.com/jenkinsci/jenkins/blob/b4095bc4b6c62023a2029e5e2faef8ad0e3a4252/test/src/test/java/hudson/util/XStream2Security383Test.java', 'https://github.com/jenkinsci/jenkins/blob/b4095bc4b6c62023a2029e5e2faef8ad0e3a4252/test/src/test/resources/hudson/util/XStream2Security383Test/config.xml'] CVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2068 |
| Learn more about the CANVAS Exploit Pack here: CANVAS |