Monday 06 July 2026 14:57:10 GMT+02:00

Netcrook

HomeManifesto
News
Techcrook
Geocrook
WikicrookTeamAppContact
EnglishItalianoArabic

WIKICROOK

JEP-200

A Jenkins hardening change that uses class filtering to restrict which types can be deserialized.

JEP-200 is a Jenkins hardening measure that adds class filtering to object deserialization. In practice, it limits which Java classes Jenkins will accept when turning serialized data back into live objects. This matters because deserialization is a common attack surface: if an application accepts untrusted objects, an attacker may be able to trigger unsafe behavior, gadget chains, or code execution.

In Jenkins, many settings and plugin data are stored as structured XML and passed through libraries such as XStream. JEP-200 reduces risk by blocking unexpected or dangerous types before they are instantiated. Defenders rely on it to shrink the blast radius of configuration parsing bugs and plugin abuse, while attackers try to bypass or reach code paths that deserialize outside the approved class set. It is a control, not a complete fix, so secure permissions, patching, and trusted data handling still matter.

← WIKICROOK index