Jenkins < 1.642.2 / 1.650 Java Object Deserialization RCE

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Synopsis :

The remote web server is affected by a remote code execution

Description :

The Jenkins web server running on the remote host is affected by a
remote code execution vulnerability due to unsafe deserialize calls of
unauthenticated Java objects to the Groovy library, specifically the
runtime.MethodClosure class. An unauthenticated, remote attacker can
exploit this, via a crafted XML file, to execute arbitrary code on the
target host.

Note that the Jenkins web server may be affected by other
vulnerabilities as well; however, Nessus has not tested for these.

See also :

Solution :

Upgrade to Jenkins version 1.642.2 / 1.650 or later. Alternatively,
disable the CLI port per the vendor advisory.

Risk factor :

Critical / CVSS Base Score : 10.0
CVSS Temporal Score : 8.3
Public Exploit Available : true

Family: General

Nessus Plugin ID: 89034 ()

Bugtraq ID: 83720

CVE ID: CVE-2016-0792

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now