Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-z5ns-74uq-4uef
Summary
Deserialization of Untrusted Data in Jenkins
An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing denylist-based protection mechanism.
Aliases
0
alias CVE-2017-1000353
1
alias GHSA-26wc-3wqp-g3rp
Fixed_packages
0
url pkg:maven/org.jenkins-ci.main/jenkins-core@2.46.2
purl pkg:maven/org.jenkins-ci.main/jenkins-core@2.46.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.46.2
1
url pkg:maven/org.jenkins-ci.main/jenkins-core@2.57
purl pkg:maven/org.jenkins-ci.main/jenkins-core@2.57
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.57
Affected_packages
0
url pkg:maven/org.jenkins-ci.main/jenkins-core@2.46.1
purl pkg:maven/org.jenkins-ci.main/jenkins-core@2.46.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-syz5-rzv5-ukhb
1
vulnerability VCID-yq9y-tdnu-2uc3
2
vulnerability VCID-ytyb-zk5y-6ub2
3
vulnerability VCID-z5ns-74uq-4uef
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.46.1
1
url pkg:maven/org.jenkins-ci.main/jenkins-core@2.50
purl pkg:maven/org.jenkins-ci.main/jenkins-core@2.50
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4cy9-1z3y-ekba
1
vulnerability VCID-dyka-xcrq-8fds
2
vulnerability VCID-npms-7xaw-mye9
3
vulnerability VCID-s1wm-h4xx-tfh9
4
vulnerability VCID-syz5-rzv5-ukhb
5
vulnerability VCID-vv6x-yj68-cqas
6
vulnerability VCID-yq9y-tdnu-2uc3
7
vulnerability VCID-ytyb-zk5y-6ub2
8
vulnerability VCID-z5ns-74uq-4uef
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.50
2
url pkg:maven/org.jenkins-ci.main/jenkins-core@2.56
purl pkg:maven/org.jenkins-ci.main/jenkins-core@2.56
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-syz5-rzv5-ukhb
1
vulnerability VCID-yq9y-tdnu-2uc3
2
vulnerability VCID-ytyb-zk5y-6ub2
3
vulnerability VCID-z5ns-74uq-4uef
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.56
References
0
reference_url http://packetstormsecurity.com/files/159266/Jenkins-2.56-CLI-Deserialization-Code-Execution.html
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H
1
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Act
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-10-02T03:55:44Z/
url http://packetstormsecurity.com/files/159266/Jenkins-2.56-CLI-Deserialization-Code-Execution.html
1
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-1000353.json
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-1000353.json
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2017-1000353
reference_id
reference_type
scores
0
value 0.94482
scoring_system epss
scoring_elements 0.99999
published_at 2026-04-29T12:55:00Z
1
value 0.94493
scoring_system epss
scoring_elements 1.0
published_at 2026-04-18T12:55:00Z
2
value 0.94508
scoring_system epss
scoring_elements 1.0
published_at 2026-04-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2017-1000353
3
reference_url https://github.com/jenkinsci/jenkins
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/jenkinsci/jenkins
4
reference_url https://github.com/jenkinsci/jenkins/commit/36b8285a41eb28333549e8d851f81fd80a184076
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/jenkinsci/jenkins/commit/36b8285a41eb28333549e8d851f81fd80a184076
5
reference_url https://github.com/jenkinsci/jenkins/commit/f237601afd750a0eaaf961e8120b08de238f2c3f
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/jenkinsci/jenkins/commit/f237601afd750a0eaaf961e8120b08de238f2c3f
6
reference_url https://jenkins.io/security/advisory/2017-04-26
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://jenkins.io/security/advisory/2017-04-26
7
reference_url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-1000353
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-1000353
8
reference_url https://www.exploit-db.com/exploits/41965
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.exploit-db.com/exploits/41965
9
reference_url https://www.oracle.com/security-alerts/cpuapr2022.html
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H
1
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Act
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-10-02T03:55:44Z/
url https://www.oracle.com/security-alerts/cpuapr2022.html
10
reference_url http://www.securityfocus.com/bid/98056
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H
1
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Act
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-10-02T03:55:44Z/
url http://www.securityfocus.com/bid/98056
11
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1446114
reference_id 1446114
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1446114
12
reference_url https://www.exploit-db.com/exploits/41965/
reference_id 41965
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value Act
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-10-02T03:55:44Z/
url https://www.exploit-db.com/exploits/41965/
13
reference_url https://blogs.securiteam.com/index.php/archives/3171
reference_id CVE-2017-1000353
reference_type exploit
scores
url https://blogs.securiteam.com/index.php/archives/3171
14
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/java/dos/41965.txt
reference_id CVE-2017-1000353
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/java/dos/41965.txt
15
reference_url https://nvd.nist.gov/vuln/detail/CVE-2017-1000353
reference_id CVE-2017-1000353
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2017-1000353
16
reference_url https://github.com/advisories/GHSA-26wc-3wqp-g3rp
reference_id GHSA-26wc-3wqp-g3rp
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-26wc-3wqp-g3rp
Weaknesses
0
cwe_id 502
name Deserialization of Untrusted Data
description The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
1
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
2
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
Exploits
0
date_added null
description 
An unauthenticated Java object deserialization vulnerability exists
          in the CLI component for Jenkins versions `v2.56` and below.

          The `readFrom` method within the `Command` class in the Jenkins
          CLI remoting component deserializes objects received from clients without
          first checking / sanitizing the data. Because of this, a malicious serialized
          object contained within a serialized `SignedObject` can be sent to the Jenkins
          endpoint to achieve code execution on the target.
required_action null
due_date null
notes 
Stability:
  - crash-safe
Reliability:
  - unreliable-session
SideEffects:
  - ioc-in-logs
known_ransomware_campaign_use false
source_date_published 2017-04-26
exploit_type null
platform Linux
source_date_updated null
data_source Metasploit
source_url https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/http/jenkins_cli_deserialization.rb
1
date_added 2017-05-05
description CloudBees Jenkins 2.32.1 - Java Deserialization
required_action null
due_date null
notes null
known_ransomware_campaign_use false
source_date_published 2017-05-05
exploit_type dos
platform java
source_date_updated 2017-05-05
data_source Exploit-DB
source_url https://blogs.securiteam.com/index.php/archives/3171
2
date_added 2025-10-02
description Jenkins contains a remote code execution vulnerability. This vulnerability that could allowed attackers to transfer a serialized Java SignedObject object to the remoting-based Jenkins CLI, that would be deserialized using a new ObjectInputStream, bypassing the existing blocklist-based protection mechanism.
required_action Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
due_date 2025-10-23
notes https://www.jenkins.io/security/advisory/2017-04-26/ ; https://nvd.nist.gov/vuln/detail/CVE-2017-1000353
known_ransomware_campaign_use false
source_date_published null
exploit_type null
platform null
source_date_updated null
data_source KEV
source_url null
Severity_range_score8.1 - 10.0
Exploitability2.0
Weighted_severity9.0
Risk_score10.0
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-z5ns-74uq-4uef