A vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in XStream2.java that allows attackers to have Jenkins resolve a domain name when deserializing an instance of java.net.URL.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| org.jenkins-ci.main:jenkins-core(Maven) | 0 | 2.121.3 | N/A |
| org.jenkins-ci.main:jenkins-core(Maven) | 2.122 | 2.138 | N/A |
CVSS Metrics
