Prohibit deserialization of Object fields by default #26914
Description
Metadata
Metadata
Assignees
Labels
No labels
Type
Fields
Give feedbackNo fields configured for Enhancement.
{{ message }}
Prohibit deserialization of
What feature do you want to see added?
SECURITY-3707 demonstrates the risk involved in allowing the deserialization of
Objecttype fields in XStream, combined with them ending up handling requests.As an improvement, Jenkins should refuse to deserialize
Objectfields by default.Upstream changes
No response
Are you interested in contributing this feature?
No response