Description
The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".
Remediation
References
Related Vulnerabilities
PHP Resource Management Errors Vulnerability (CVE-2011-3267)
Apache Tomcat Insufficient Verification of Data Authenticity Vulnerability (CVE-2017-7674)
Atlassian Jira Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2008-6832)
WebLogic Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-10152)
Drupal Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2008-6532)