The following flaw was found in Jenkins:
XStream-based APIs in Jenkins (e.g. /createItem URLs, or POST config.xml remote API) were vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio.
In case this extension of the blacklist results in regressions, the blacklist can be customized as described in the Jenkins LTS upgrade guide for Jenkins 2.19.3.
Created jenkins tracking bugs for this issue:
Affects: fedora-all [bug 1418736]