CVE-2017-1000353
high-risk
Published 2018-01-29
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.
Do I need to act?
!
94.5% chance of exploitation in next 30 days
EPSS score — higher than 6% of all CVEs
!
CISA KEV: actively exploited in the wild
On the Known Exploited Vulnerabilities catalog — federal agencies must patch
!
1 public exploit available
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (3)
References (11)
Permissions Required
http://packetstormsecurity.com/files/159266/Jenkins-2.56-CLI-Deserialization-Cod...
Broken Link
http://www.securityfocus.com/bid/98056
Vendor Advisory
https://jenkins.io/security/advisory/2017-04-26/
Permissions Required
http://packetstormsecurity.com/files/159266/Jenkins-2.56-CLI-Deserialization-Cod...
Broken Link
http://www.securityfocus.com/bid/98056
Vendor Advisory
https://jenkins.io/security/advisory/2017-04-26/
US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-...
Get this data via API
curl -H "Authorization: Bearer YOUR_KEY" \
https://cyber.phasetransitions.ai/api/v1/cves/CVE-2017-1000353
Free tier: 100 requests/day, no credit card.
68
/ 100
high-risk
Severity
32/34 · Critical
Exploitability
27/34 · High
Exposure
9/34 · Low