CVE-2022-0538

CVE-2022-0538

Name

CVE-2022-0538

Description

Jenkins 2.333 and earlier, LTS 2.319.2 and earlier defines custom XStream converters that have not been updated to apply the protections for the vulnerability CVE-2021-43859 and allow unconstrained resource usage.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
CONFIRM	https://www.jenkins.io/security/advisory/2022-02-09/#SECURITY-2602
MLIST	http://www.openwall.com/lists/oss-security/2022/02/09/1

Type

URI

CONFIRM

https://www.jenkins.io/security/advisory/2022-02-09/#SECURITY-2602

MLIST

http://www.openwall.com/lists/oss-security/2022/02/09/1

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:jenkins:jenkins:::::lts:::*`	jenkins	>= None	< 2.319.3
`cpe:2.3:a:jenkins:jenkins:::::-:::*`	jenkins	>= None	< 2.334

CPE URI

Source package

Min version

Max version

cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*

jenkins

>= None

< 2.319.3

cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*

jenkins

>= None

< 2.334

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
jenkins	3.15-community	2.319.3-r0	Francesco Colista <fcolista@alpinelinux.org>	fixed
jenkins	edge-community	2.332.3-r0	Francesco Colista <fcolista@alpinelinux.org>	fixed
jenkins	3.16-community	2.332.3-r0	Francesco Colista <fcolista@alpinelinux.org>	fixed

Source package

Branch

Version

Maintainer

Status

jenkins

3.15-community

2.319.3-r0

Francesco Colista <fcolista@alpinelinux.org>

fixed

jenkins

edge-community