The vulnerability arises when the Matrix Authorization Strategy Plugin deserializes inheritance strategy configurations by invoking parameterless constructors of configured classes without restricting which types can be instantiated. This behavior allows an attacker who has Item/Configure permission to supply any class name present on the Jenkins classpath, causing the plugin to create instances of that class during deserialization. Depending on the classes available, the attacker could gain access to sensitive data, alter system configuration, or execute further attacks. The weakness corresponds to an uncontrolled deserialization flaw, which is a medium‑severity vulnerability with a CVSS score of 6.5 that can compromise confidentiality, integrity, and possibly availability of the Jenkins instance.

Jenkins Matrix Authorization Strategy Plugin, versions 2.0-beta-1 through 3.2.9 inclusive. Any Jenkins installation that has this plugin installed and configured, and where users possess Item/Configure permission, is susceptible to exploitation.

The vulnerability is rated without an EPSS score available, indicating uncertain exploitation likelihood at this time, and it is not listed in CISA's KEV catalog. The risk remains significant because the flaw permits arbitrary class instantiation, a powerful vector for further attacks. If a malicious user supplies a class that performs privileged operations or reads restricted files, the consequences could be severe. The attack can be performed remotely by configuring the plugin through the Jenkins web interface, assuming the user has Item/Configure permission. The CVSS score of 6.5 indicates medium severity, due to the broad impact on the affected system and the potential for data disclosure or compromise.