CVE-2017-1000353

CRITICAL KEV NUCLEI

Jenkins <2.56-<2.46.1 LTS - RCE

Title source: llm

Description

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.

Exploits (7)

github WRITEUP 3,480 stars

by qazbnm456 · poc

https://github.com/qazbnm456/awesome-cve-poc/tree/master/CVE-2017-1000353.md

View Code ZIP pw:eip

nomisec WORKING POC 56 stars

by vulhub · remote-auth

https://github.com/vulhub/CVE-2017-1000353

View Code ZIP pw:eip

github WRITEUP 14 stars

by xbl3 · poc

https://github.com/xbl3/awesome-cve-poc_qazbnm456/tree/master/CVE-2017-1000353.md

View Code ZIP pw:eip

nomisec SUSPICIOUS 3 stars

by r00t4dm · poc

https://github.com/r00t4dm/Jenkins-CVE-2017-1000353

View Code ZIP pw:eip

nomisec SUSPICIOUS

by Jelc0Doesbruf · poc

https://github.com/Jelc0Doesbruf/CVE-2017-1000353

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by SSD, Unknown, Shelby Pace · rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/jenkins_cli_deserialization.rb

View Code ZIP pw:eip

exploitdb WORKING POC

by SecuriTeam · textdosjava

https://www.exploit-db.com/exploits/41965

View Code ZIP pw:eip

Nuclei Templates (1)

Jenkins CLI - Java Deserialization

CRITICALby hnd3884

Shodan: cpe:"cpe:2.3:a:jenkins:jenkins" || http.favicon.hash:"81586312" || product:"jenkins" || x-jenkins

FOFA: icon_hash=81586312

References (6)

[Permissions Required, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/159266/Jenkins-2.56-CLI-Deserialization-Code-Execution.html

[Broken Link] http://www.securityfocus.com/bid/98056

[Vendor Advisory] https://jenkins.io/security/advisory/2017-04-26/

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/41965/

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuapr2022.html

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-1000353

Scores

CVSS v3 9.8

EPSS 0.9451

EPSS Percentile 100.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation Intel

CISA KEV 2025-10-02

VulnCheck KEV 2018-07-07

InTheWild.io 2018-02-18

ENISA EUVD EUVD-2022-1921

Classification

CWE

CWE-502

Status published

Affected Products (4)

jenkins/jenkins < 2.56

jenkins/jenkins < 2.46.1

oracle/communications_cloud_native_core_automated_test_suite

org.jenkins-ci.main/jenkins-core < 2.57Maven

Timeline

Published Jan 29, 2018

KEV Added Oct 02, 2025

Tracked Since Feb 18, 2026