CVE-2015-8103

CRITICAL LAB

Jenkins CLI RMI Java Deserialization Vulnerability

Title source: metasploit

Description

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".

Exploits (6)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotejava
https://www.exploit-db.com/exploits/38983
nomisec STUB
by r00t4dm · poc
https://github.com/r00t4dm/Jenkins-CVE-2015-8103
nomisec STUB
by cved-sources · poc
https://github.com/cved-sources/cve-2015-8103
metasploit WORKING POC
by altonjx, Jeffrey Cap · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/jenkins_command.rb
metasploit WORKING POC NORMAL
rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/opennms_java_serialize.rb
metasploit WORKING POC EXCELLENT
by Christopher Frohoff, Steve Breen, Dev Mohanty, Louis Sato, wvu, juan vazquez, Wei Chen · rubypocjava
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/jenkins_java_deserialize.rb

References (12)

Scores

CVSS v3 9.8
EPSS 0.9037
EPSS Percentile 99.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY
Community Lab
docker pull medicean/vulapps:base_jboss_as6
+2 more repos

Details

CWE
CWE-502
Status published
Products (5)
jenkins/jenkins < 1.625.2
jenkins/jenkins < 1.638
org.jenkins-ci.main/cli 0 - 1.625.2Maven
redhat/openshift_container_platform 2.2
redhat/openshift_container_platform 3.1
Published Nov 25, 2015
Tracked Since Feb 18, 2026