Jenkins XStream Java Library Deserialization Vulnerability Remote Code Execution Exploit

Jenkins is prone to a remote vulnerability due to deserialization of untrusted inputs, allowing attackers to instantiate arbitrary Java objects leading to remote code execution. There are several API endpoints that allow low-privilege users to POST XML files that then get deserialized by Jenkins. Maliciously crafted XML files sent to these API endpoints could result in arbitrary code execution.
Exploit type: 
Platform: 
Vulnerabilty ID: 
CVE-2016-0792
Product Version: 
2016_R1
Released Date: 
Wednesday, April 13, 2016 - 00:00