CVE-2022-0538
UNKNOWN
Published 2022-02-09T13:30:15
Actions:
Expert Analysis
Professional remediation guidance
Get tailored security recommendations from our analyst team for CVE-2022-0538. We'll provide specific mitigation strategies based on your environment and risk profile.
No CVSS data available
Description
Jenkins 2.333 and earlier, LTS 2.319.2 and earlier defines custom XStream converters that have not been updated to apply the protections for the vulnerability CVE-2021-43859 and allow unconstrained resource usage.
Available Exploits
No exploits available for this CVE.
Related News
No news articles found for this CVE.
Affected Products
Affected Versions:
GitHub Security Advisories
Community-driven vulnerability intelligence from GitHub
✓ GitHub Reviewed
MODERATE
DoS vulnerability in bundled XStream library in Jenkins Core
GHSA-34wx-x2w9-vqm3Advisory Details
Jenkins 2.333 and earlier, LTS 2.319.2 and earlier is affected by the XStream library’s vulnerability [CVE-2021-43859](https://x-stream.github.io/CVE-2021-43859.html). This library is used by Jenkins to serialize and deserialize various XML files, like global and job `config.xml`, `build.xml`, and numerous others.
This allows attackers able to submit crafted XML files to Jenkins to be parsed as configuration, e.g. through the `POST config.xml` API, to cause a denial of service (DoS).
Affected Packages
Maven
org.jenkins-ci.main:jenkins-core
ECOSYSTEM:
≥2.320
<2.334
Maven
org.jenkins-ci.main:jenkins-core
ECOSYSTEM:
≥0
<2.319.3
CVSS Scoring
CVSS Score
5.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
References
Advisory provided by GitHub Security Advisory Database. Published: February 10, 2022, Modified: December 22, 2023
References
Published: 2022-02-09T13:30:15
Last Modified: 2024-08-02T23:32:46.169Z
Copied to clipboard!