Bug 2487539 (CVE-2026-53435)
| Summary: | CVE-2026-53435 jenkins: Jenkins: Arbitrary code execution via deserialization of attacker-controlled configuration | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | Keywords: | Security |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in Jenkins. Attackers can exploit a deserialization vulnerability by submitting a specially crafted `config.xml` file. This allows them to deserialize arbitrary types, leading to the ability to impersonate users and send HTTP requests on their behalf. The most critical impact is the potential for arbitrary code execution through the Script Console, as well as unauthorized reading of files from the Jenkins controller.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
OSIDB Bzimport
2026-06-10 14:01:52 UTC
|