CVE-2017-1000353

CWE-502 — Deserialization of Untrusted Data14 documents14 sources

9.8

CVSS

CRITICAL

EPSS94.5%(100th)

CISA KEVPublic ExploitExploited in Wild

CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶Mavenorg.jenkins-ci.main:jenkins-core2.50 — 2.57+1

▶NVDjenkins/jenkins2.56+1

▶NVDoracle/communications_cloud_native_core_automated_test_suite1.9.0

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI...

NVD ↗MITRE ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

Deserialization of Untrusted Data in Jenkins↗2022-05-13

▶

OSV

Deserialization of Untrusted Data in Jenkins↗2022-05-13

▶

CVEList

CVE-2017-1000353: Jenkins versions 2↗2018-01-29

▶

VulnCheck

Jenkins Remote Code Execution Vulnerability↗2017

▶

💥Exploits & PoCs

Exploit-DB

CloudBees Jenkins 2.32.1 - Java Deserialization↗2017-05-05

▶

Nuclei

Jenkins CLI - Java Deserialization

▶

🔍Detection Rules

Suricata

ET WEB_SPECIFIC_APPS Possible Jenkins CLI RCE (CVE-2017-1000353)↗2018-02-21

▶

📋Vendor Advisories

CISA

Jenkins Remote Code Execution Vulnerability↗2025-10-02

▶

Jenkins

Jenkins Security Advisory 2017-04-26↗2017-04-26

▶

Red Hat

jenkins: Unauthenticated remote code execution (SECURITY-429)↗2017-04-26

▶

Oracle

Oracle Critical Patch Update - APR 2022↗

▶

💬Community

FullDisc

https://blogs.securiteam.com/index.php/archives/3171↗2017-05-03

▶

MailList

Multiple vulnerabilities in Jenkins↗2017-04-26

▶