Vulnerabilities > CVE-2016-9299 - LDAP Injection vulnerability in multiple products

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
jenkins
fedoraproject
CWE-90
critical
nessus
exploit available
metasploit

Summary

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.

Vulnerable Configurations

Part Description Count
Application
Jenkins
758
OS
Fedoraproject
1

Common Attack Pattern Enumeration and Classification (CAPEC)

  • LDAP Injection
    An attacker manipulates or crafts an LDAP query for the purpose of undermining the security of the target. Some applications use user input to create LDAP queries that are processed by an LDAP server. For example, a user might provide their username during authentication and the username might be inserted in an LDAP query during the authentication process. An attacker could use this input to inject additional commands into an LDAP query that could disclose sensitive information. For example, entering a * in the aforementioned query might return information about all users on the system. This attack is very similar to an SQL injection attack in that it manipulates a query to gather additional information or coerce a particular return value.

Exploit-Db

descriptionJenkins CLI - HTTP Java Deserialization (Metasploit). CVE-2016-9299. Remote exploit for Linux platform. Tags: Metasploit Framework (MSF), Remote
fileexploits/linux/remote/44642.rb
idEDB-ID:44642
last seen2018-05-24
modified2018-05-17
platformlinux
port8080
published2018-05-17
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/44642/
titleJenkins CLI - HTTP Java Deserialization (Metasploit)
typeremote

Metasploit

descriptionThis module exploits a vulnerability in Jenkins. An unsafe deserialization bug exists on the Jenkins, which allows remote arbitrary code execution via HTTP. Authentication is not required to exploit this vulnerability.
idMSF:EXPLOIT/LINUX/MISC/JENKINS_LDAP_DESERIALIZE
last seen2020-06-09
modified2018-05-16
published2017-01-11
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/misc/jenkins_ldap_deserialize.rb
titleJenkins CLI HTTP Java Deserialization Vulnerability

Nessus

  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_27EEE66D947444A5B83021EC12A1C307.NASL
    descriptionJenkins Security Advisory : An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java object to the Jenkins CLI, making Jenkins connect to an attacker-controlled LDAP server, which in turn can send a serialized payload leading to code execution, bypassing existing protection mechanisms.
    last seen2020-06-01
    modified2020-06-02
    plugin id94918
    published2016-11-16
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94918
    titleFreeBSD : jenkins -- Remote code execution vulnerability in remoting module (27eee66d-9474-44a5-b830-21ec12a1c307)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-93679A91DF.NASL
    descriptionSecurity fix for CVE-2016-9299 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-03-06
    plugin id97533
    published2017-03-06
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97533
    titleFedora 24 : jenkins / jenkins-remoting (2016-93679a91df)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-368780879D.NASL
    descriptionSecurity fix for CVE-2016-9299 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2016-12-01
    plugin id95446
    published2016-12-01
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95446
    titleFedora 25 : jenkins / jenkins-remoting (2016-368780879d)

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/147665/jenkins_ldap_deserialize.rb.txt
idPACKETSTORM:147665
last seen2018-05-17
published2018-05-16
reporterMatthias Kaiser
sourcehttps://packetstormsecurity.com/files/147665/Jenkins-CLI-HTTP-Java-Deserialization.html
titleJenkins CLI HTTP Java Deserialization

Seebug

bulletinFamilyexploit
descriptionNo description provided by source.
idSSV:92557
last seen2017-11-19
modified2016-11-26
published2016-11-26
reporterRoot
titleJenkins remoting module remote command execution vulnerability, CVE-2016-9299)

References