The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| org.jenkins-ci.main:cli(Maven) | 0 | 1.625.2 | N/A |
| org.jenkins-ci.main:cli(Maven) | 1.626 | 1.638 | N/A |
CVSS Metrics
