-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from Jenkins' use of XStream's default URLConverter for deserializing java.net.URL objects. The patch introduced a SafeURLConverter to wrap URLs and prevent DNS resolution during deserialization. In vulnerable versions, the absence of this converter meant the system relied on the insecure default URLConverter.fromString method. The commit diff explicitly adds SafeURLConverter registration in XStream2.java, confirming the original converter was the root cause. The vulnerability manifests when deserializing untrusted data containing URL objects, making the default URLConverter.fromString the critical vulnerable function.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.jenkins-ci.main:jenkins-core | maven | < 2.121.3 | 2.121.3 |
| org.jenkins-ci.main:jenkins-core | maven | >= 2.122, < 2.138 | 2.138 |