← back
CVE-2017-1000353

CVE-2017-1000353

CVSS 9.8 CRITICALEPSS 99.7%● KEVCWE-502
In short

Jenkins versions before 2.57 and 2.46.2 LTS allowed attackers to run arbitrary code without authentication by sending specially crafted serialized Java objects through the CLI. This is critical because Jenkins often has access to sensitive credentials and system resources.

Technical detail

An unauthenticated remote code execution vulnerability in Jenkins CLI exploits unsafe Java deserialization via ObjectInputStream. Attackers bypass the blacklist-based protection by sending a SignedObject payload, achieving arbitrary code execution with Jenkins process privileges. The fix adds SignedObject to the deserialization blacklist and deprecates the remoting-based CLI protocol in favor of HTTP-based CLI.

Summary generated and translated by AI from the official description.
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/a
public PoCs found5
githubgithub.com/vulhub/CVE-2017-100035357githubgithub.com/r00t4dm/Jenkins-CVE-2017-10003533cve_referencepacketstormsecurity.com/files/159266/Jenkins-2.56-CLI-Deserialization-Code-Execution.htmlunverifiedcve_referencewww.exploit-db.com/exploits/41965/unverifiedexploitdbwww.exploit-db.com/exploits/41965unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/159266/Jenkins-2.56-CLI-Deserialization-Code-Execution.htmlhttps://jenkins.io/security/advisory/2017-04-26/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-1000353https://www.exploit-db.com/exploits/41965/https://www.oracle.com/security-alerts/cpuapr2022.htmlhttp://www.securityfocus.com/bid/98056