CVE-2016-9299: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
(updated )
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.
References
- www.openwall.com/lists/oss-security/2016/11/12/4
- www.openwall.com/lists/oss-security/2016/11/14/9
- www.slideshare.net/codewhitesec/java-deserialization-vulnerabilities-the-forgotten-bug-class-deepsec-edition
- github.com/advisories/GHSA-2x9h-h3c4-wqqh
- groups.google.com/forum/
- groups.google.com/forum/
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZW2KUKYLNLVDB7STLHLYALCUFLEGCRM6/
- nvd.nist.gov/vuln/detail/CVE-2016-9299
- wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-11-16
- www.cloudbees.com/jenkins-security-advisory-2016-11-16
- www.exploit-db.com/exploits/44642/
Detect and mitigate CVE-2016-9299 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →