CVE-2017-1000353
First published: Mon Jan 29 2018(Updated: )
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Jenkins Jenkins | <=2.56 | |
| Jenkins Jenkins | <=2.46.1 | |
| Oracle Communications Cloud Native Core Automated Test Suite | =1.9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/references
- agent/remedy
- agent/author
- agent/weakness
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/description
- agent/event
- collector/mitre-cve
- source/MITRE
- vendor/jenkins
- canonical/jenkins jenkins
- version/jenkins jenkins/2.56
- version/jenkins jenkins/2.46.1
- vendor/oracle
- canonical/oracle communications cloud native core automated test suite
- version/oracle communications cloud native core automated test suite/1.9.0