cybersecurity

6249 readers

17 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Be kind
Limit promotional activities
Non-cybersecurity posts should be redirected to other communities within infosec.pub.

Enjoy!

founded 3 years ago

MODERATORS

shellsharks@infosec.pub

tweedge@infosec.pub

CVE-2026-53435: Jenkins Deserialization Chain, PoC & Patch (thecybersecguru.com)

submitted 1 week ago by UnLocoPoco@lemmy.world to c/cybersecurity@infosec.pub

1 comments fedilink hide all child comments

cross-posted from: https://lemmy.world/post/48197919

A newly disclosed Jenkins vulnerability, tracked as CVE-2026-53435, is now being actively exploited in the wild. The flaw allows an authenticated attacker with relatively low privileges to POST a malicious config.xml file, abuse Jenkins’ deserialization handling, and route requests through Stapler to access sensitive files on the Jenkins controller.

The issue affects Jenkins weekly versions up to 2.567 and LTS versions up to 2.555.2. Successful exploitation can lead to arbitrary file read, user impersonation, Script Console access, and possible exposure of SSH keys, credentials, and internal Jenkins secrets. Administrators are urged to upgrade immediately to Jenkins weekly 2.568 or LTS 2.555.3, review logs for suspicious createView requests, and audit users with View/Configure, Item/Configure, or Agent/Configure permissions.

you are viewing a single comment's thread
view the rest of the comments

[–] SamuelEllis@lemmy.world 1 points 5 days ago

Since the vulnerability involves deserialization of untrusted data via config.xml, the primary mitigation beyond patching is ensuring strict input validation on file uploads and restricting write permissions to the Jenkins home directory to prevent arbitrary file creation. Have you verified that your Jenkins controller does not inadvertently expose sensitive artifacts through Stapler's file serving mechanisms?