Jenkins is prone to a remote vulnerability due to deserialization of untrusted inputs, allowing attackers to instantiate arbitrary Java objects leading to remote code execution.



There are several API endpoints that allow low-privilege users to POST XML files that then get deserialized by Jenkins. Maliciously crafted XML files sent to these API endpoints could result in arbitrary code execution.



This update adds support for HTTPS and IPv6. It also allows to change the application root path.

Jenkins is prone to a remote vulnerability due to deserialization of untrusted inputs, allowing attackers to instantiate arbitrary Java objects leading to remote code execution.



There are several API endpoints that allow low-privilege users to POST XML files that then get deserialized by Jenkins. Maliciously crafted XML files sent to these API endpoints could result in arbitrary code execution.

This update resolves an error when importing services from a file.

The specific flaw exists within the implementation of the 0x13C83 IOCTL in the BwOpcTool subsystem. A stack-based buffer overflow vulnerability exists in a call to memcpy using the ProjectName parameter. An attacker can use this vulnerability to execute arbitrary code in the context of an administrator of the system.

The specific flaw exists within the activate_doit function of the service. The issue lies in the handling of the actserver parameter which can result in overflowing a stack-based buffer.

A vulnerability exists in the FileUpload2Controller servlet. This servlet allows unauthenticated file uploads.



By uploading a JSP file, an attacker can achieve remote code execution.

Easy File Sharing is prone to a buffer-overflow when handling a specially crafted GET request.

The specific flaw exists within the implementation of the 0x280A IOCTL in the DrawSrv subsystem. A stack-based buffer overflow vulnerability exists in a call to strcpy. An attacker can use this vulnerability to execute arbitrary code in the context of an administrator of the system.

This module exploits a Jenkins command injection in order to install an agent.



This update adds support for Windows and Linux platforms, and HTTPS support.

A vulnerability exists in the UploadServlet servlet. By providing a filename header containing a directory traversal, an attacker can upload a file to an arbitrary location on the system.

This module abuses the auto deploy feature in the server in order to achieve remote code execution.