GHSA-58pr-hprx-7hg6

Source

https://github.com/advisories/GHSA-58pr-hprx-7hg6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-58pr-hprx-7hg6/GHSA-58pr-hprx-7hg6.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-58pr-hprx-7hg6

Aliases

CVE-2021-21677

Published

2022-05-24T19:12:36Z

Modified

2024-02-16T08:22:02.827686Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

RCE vulnerability in Jenkins Code Coverage API Plugin

Details

Jenkins Code Coverage API Plugin 1.4.0 and earlier does not apply JEP-200 deserialization protection to Java objects it deserializes from disk.

This results in a remote code execution (RCE) vulnerability exploitable by attackers able to control agent processes.

Jenkins Code Coverage API Plugin 1.4.1 configures its Java object deserialization to only deserialize safe types.

Database specific

{
    "nvd_published_at": "2021-08-31T14:15:00Z",
    "cwe_ids": [
        "CWE-502"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-15T16:36:42Z"
}

References

Affected packages

Maven / io.jenkins.plugins:code-coverage-api

Package

Name: io.jenkins.plugins:code-coverage-api; View open source insights on deps.dev
Purl: pkg:maven/io.jenkins.plugins/code-coverage-api

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.4.1

Affected versions

1.*

1.0.0-alpha-1

1.0.0-rc-1

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9

1.0.10

1.0.11

1.0.12

1.0.13

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.1.6

1.2.0

1.2.1

1.3.1

1.3.2

1.4.0

Database specific

{
    "last_known_affected_version_range": "<= 1.4.0"
}