Jenkins XStream Java Library Deserialization Vulnerability Remote Code Execution Exploit

Jenkins is prone to a remote vulnerability due to deserialization of untrusted inputs, allowing attackers to instantiate arbitrary Java objects leading to remote code execution. There are several API endpoints that allow low-privilege users to POST XML files that then get deserialized by Jenkins. Maliciously crafted XML files sent to these API endpoints could result in arbitrary code execution.
Exploit type: 
Platform: 
Vulnerabilty ID: 
CVE-2016-0792
Product Version: 
37
Released Date: 
Tuesday, April 12, 2016 - 19:00