Jenkins < 1.642.2 / 1.650 Java Object Deserialization RCE
Critical Nessus Plugin ID 89034
SynopsisThe remote web server is affected by a remote code execution vulnerability.
DescriptionThe Jenkins web server running on the remote host is affected by a remote code execution vulnerability due to unsafe deserialize calls of unauthenticated Java objects to the Groovy library, specifically the runtime.MethodClosure class. An unauthenticated, remote attacker can exploit this, via a crafted XML file, to execute arbitrary code on the target host.
Note that the Jenkins web server may be affected by other vulnerabilities as well; however, Nessus has not tested for these.
SolutionUpgrade to Jenkins version 1.642.2 / 1.650 or later. Alternatively, disable the CLI port per the vendor advisory.