CVE-2016-9299

CRITICAL EXPLOITED NUCLEI

Jenkins <2.32-2.19.3 - RCE

Title source: llm

Description

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotelinux
https://www.exploit-db.com/exploits/44642
nomisec SUSPICIOUS
by r00t4dm · poc
https://github.com/r00t4dm/Jenkins-CVE-2016-9299
metasploit WORKING POC EXCELLENT
by Matthias Kaiser, Alisa Esage, Ivan, YSOSerial · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/jenkins_ldap_deserialize.rb

Nuclei Templates (1)

Jenkins CLI - HTTP Java Deserialization
CRITICALVERIFIEDby iamnoooob,rootxharsh,pdresearch
Shodan: product:"jenkins"
FOFA: icon_hash=81586312

References (10)

Scores

CVSS v3 9.8
EPSS 0.8925
EPSS Percentile 99.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2016-11-16
CWE
CWE-90
Status published
Products (4)
fedoraproject/fedora 25
jenkins/jenkins < 2.19.2
jenkins/jenkins < 2.31
org.jenkins-ci.main/jenkins-core 2.20 - 2.32Maven
Published Jan 12, 2017
Tracked Since Feb 18, 2026