cbcvebase.
CVE-2017-1000353
published 2018-01-29

CVE-2017-1000353: Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code…

PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-10-23
Exploited in the wild
EPSS
99.69%
99.9th percentile
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.

Affected

5 ranges
VendorProductVersion rangeFixed in
jenkinsjenkins<= 2.56
jenkinsjenkins<= 2.46.1
jenkinsjenkins_core
jenkinsjenkins_lts
oraclecommunications_cloud_native_core_automated_test_suite

Detection & IOCsextracted from sources · hover to see the quote

hash0bb4503cc52530ddadb102fa4010fb4d89af88aca846d4b16f601d0702134246
hash06f8eda46fd6bdc11b8ec4d18a0f0afbf3d47f82cea8363d342975896582a715
hashf0430130a2f3549b1aeff0a9fb2246f68f585a7c1d312c7be385a1cf5f37e70d
hashc87d294cb0384cb56f4829d58cdd3f53572d3f95c2133a9b1da5f5bc1710f22f
hashf750d6da918a5f2f2c442a339821ffebcad4b61e4ca1684bac0e7df98416a794
hash3002551eebaf486d77a2b81d87db553ad8632bb132553e306395c5da589171fe
hash213a23219ff89c412f92aa1fdf7152178a81514014ee1cc4ffee97e725ee63a3
hashff8c97cd55523cbdceef80407269d35bbf78abcbf807426c12d9debe1ce498d9
hash2beaa23907c40cfcb705844f4f515ff81a788abe1aed2c8d23626d9d735968ae
hashb22fa98c3ee99222c4e827a9745f206ccf7cd40530459a92f183e148b0df5ce9
url/cli
bytes
rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJpbGl0eQAAAAAAAAABAgABSgAEbWFza3hwAAAAAAAAAH4=
  • The exploit preamble begins with the base64-encoded serialized hudson.remoting.Capability object. Detect this specific base64 blob or its decoded bytes in HTTP POST bodies to /cli.
  • In-the-wild exploitation injects PowerShell via the deserialization payload to download and execute a miner. Hunt for PowerShell process spawned as a child of Jenkins with '-WindowStyle Hidden' and DownloadFile calls.
  • Shodan/FOFA queries for exposed Jenkins instances: use favicon hash 81586312 or the 'x-jenkins' HTTP response header to identify targets.
  • ·The vulnerability only affects the remoting-based (Java serialization) CLI protocol. Jenkins instances where this protocol is disabled (default in versions after 2.54/2.46.2) are not exploitable via this vector.
  • ·The bypass works by wrapping a malicious serialized object inside a java.security.SignedObject, which causes deserialization via a fresh ObjectInputStream that does not consult the existing blacklist.
  • ·The fix adds SignedObject to the remoting blocklist and backports the HTTP-based CLI protocol to LTS 2.46.2. Users should also explicitly disable the remoting-based CLI after upgrading.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_oracle9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.