An unauthenticated Java object deserialization vulnerability exists in the CLI component for Jenkins versions 2.56 and below. The readFrom method within the Command class in the Jenkins CLI remoting component deserializes objects received from clients without first checking / sanitizing the data. Because of this, a malicious serialized object contained within a serialized SignedObject can be sent to the Jenkins endpoint to achieve code execution on the target.
3729c358cb302e4f78e19a3ad5a83bfe54ed6e185ea35041abb6038c065373da
CloudBees Jenkins version 2.32.1 suffers from an unauthenticated remote code execution vulnerability.
142fb9c1fa1663f30278c55089d5387e15d4caea5392b59704a70a5249278ac5