CVE-2022-41237: Deserialization of Untrusted Data

September 22, 2022 (updated December 6, 2022)

Jenkins DotCi Plugin 2.40.00 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

References

github.com/advisories/GHSA-x3jj-rgw9-7r5g
nvd.nist.gov/vuln/detail/CVE-2022-41237
plugins.jenkins.io/DotCi/
www.jenkins.io/security/advisory/2022-09-21/
www.jenkins.io/security/plugins/

Code Behaviors & Features

Detect and mitigate CVE-2022-41237 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →