CVE-2016-0792
HIGHJenkins XStream Groovy classpath Deserialization Vulnerability
Title source: metasploitDescription
Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.
Exploits (6)
exploitdb
WORKING POC
VERIFIED
by Metasploit · rubyremotemultiple
https://www.exploit-db.com/exploits/43375
exploitdb
WORKING POC
VERIFIED
by Janusz Piechówka · pythonremotejava
https://www.exploit-db.com/exploits/42394
nomisec
WORKING POC
49 stars
by jpiechowka · poc
https://github.com/jpiechowka/jenkins-cve-2016-0792
metasploit
WORKING POC
EXCELLENT
by Arshan Dabirsiaghi · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/jenkins_xstream_deserialize.rb
Scores
CVSS v3
8.8
EPSS
0.9085
EPSS Percentile
99.6%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-20
Status
published
Products (4)
jenkins/jenkins
< 1.642.1
jenkins/jenkins
< 1.649
org.jenkins-ci.main/jenkins-core
1.643 - 1.650Maven
redhat/openshift
3.1
Published
Apr 07, 2016
Tracked Since
Feb 18, 2026