advisory-database [GHSA-hhpm-5cp2-hg4x] Deserialization of Untrusted Data in Jenkins

Updates

Affected products
References
Source code location

Comments Add some patch links related to CVE-2018-1000861.

Feb 26 '24 13:02 sunSUNQ

Hey @sunSUNQ, I'm not sure I see how all of these commits are related to the advisory. Can you step me through the logic?

Mar 05 '24 22:03 darakian

I apologize, there was an issue with the submission, and only 76e0e69e91b85dd72f8fac53d547dcdc4ff1d90c is relevant to the current vulnerability.

Mar 06 '24 02:03 sunSUNQ

I'm still not seeing the linkage. How does it relate to stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java?

Mar 06 '24 18:03 darakian

CVE-2018-1000861 is mentioned in the official advisory as related to SECURITY-595. In https://github.com/advisories/GHSA-hhpm-5cp2-hg4x, only https://github.com/jenkinsci/jenkins/commit/47f38d714c99e1841fb737ad1005618eb26ed852 is provided. However, I believe the following five commits are also relevant. https://github.com/jenkinsci/jenkins/commit/90b6d47af7ff0ae33f4ff816a0d9ca36223769b0 https://github.com/jenkinsci/jenkins/commit/db5defdf2f3c8efa4c8fb5a04502ebbccec96504 https://github.com/jenkinsci/jenkins/commit/3353e66082cd275b7bf55da7b2423d6ca11a1e2d https://github.com/jenkinsci/jenkins/commit/19698a82624ca4d62525bf7add2f807ce3b4a9f3 https://github.com/jenkinsci/jenkins/commit/76e0e69e91b85dd72f8fac53d547dcdc4ff1d90c

Mar 07 '24 09:03 sunSUNQ

Hello, I'm looking forward to your response.

Mar 21 '24 01:03 sunSUNQ

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.

Apr 06 '24 00:04 taladrane