Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/15056?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/15056?format=api", "vulnerability_id": "VCID-z5ns-74uq-4uef", "summary": "Deserialization of Untrusted Data in Jenkins\nAn unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing denylist-based protection mechanism.", "aliases": [ { "alias": "CVE-2017-1000353" }, { "alias": "GHSA-26wc-3wqp-g3rp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/52912?format=api", "purl": "pkg:maven/org.jenkins-ci.main/jenkins-core@2.46.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.46.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/26358?format=api", "purl": "pkg:maven/org.jenkins-ci.main/jenkins-core@2.57", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.57" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/26356?format=api", "purl": "pkg:maven/org.jenkins-ci.main/jenkins-core@2.46.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-syz5-rzv5-ukhb" }, { "vulnerability": "VCID-yq9y-tdnu-2uc3" }, { "vulnerability": "VCID-ytyb-zk5y-6ub2" }, { "vulnerability": "VCID-z5ns-74uq-4uef" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.46.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/60095?format=api", "purl": "pkg:maven/org.jenkins-ci.main/jenkins-core@2.50", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4cy9-1z3y-ekba" }, { "vulnerability": "VCID-dyka-xcrq-8fds" }, { "vulnerability": "VCID-npms-7xaw-mye9" }, { "vulnerability": "VCID-s1wm-h4xx-tfh9" }, { "vulnerability": "VCID-syz5-rzv5-ukhb" }, { "vulnerability": "VCID-vv6x-yj68-cqas" }, { "vulnerability": "VCID-yq9y-tdnu-2uc3" }, { "vulnerability": "VCID-ytyb-zk5y-6ub2" }, { "vulnerability": "VCID-z5ns-74uq-4uef" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.50" }, { "url": "http://public2.vulnerablecode.io/api/packages/26357?format=api", "purl": "pkg:maven/org.jenkins-ci.main/jenkins-core@2.56", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-syz5-rzv5-ukhb" }, { "vulnerability": "VCID-yq9y-tdnu-2uc3" }, { "vulnerability": "VCID-ytyb-zk5y-6ub2" }, { "vulnerability": "VCID-z5ns-74uq-4uef" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.56" } ], "references": [ { "reference_url": "http://packetstormsecurity.com/files/159266/Jenkins-2.56-CLI-Deserialization-Code-Execution.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Act", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-10-02T03:55:44Z/" } ], "url": "http://packetstormsecurity.com/files/159266/Jenkins-2.56-CLI-Deserialization-Code-Execution.html" }, { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-1000353.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-1000353.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2017-1000353", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.94482", "scoring_system": "epss", "scoring_elements": "0.99999", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.94493", "scoring_system": "epss", "scoring_elements": "1.0", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.94508", "scoring_system": "epss", "scoring_elements": "1.0", "published_at": "2026-04-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-1000353" }, { "reference_url": "https://github.com/jenkinsci/jenkins", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/jenkinsci/jenkins" }, { "reference_url": "https://github.com/jenkinsci/jenkins/commit/36b8285a41eb28333549e8d851f81fd80a184076", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/jenkinsci/jenkins/commit/36b8285a41eb28333549e8d851f81fd80a184076" }, { "reference_url": "https://github.com/jenkinsci/jenkins/commit/f237601afd750a0eaaf961e8120b08de238f2c3f", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/jenkinsci/jenkins/commit/f237601afd750a0eaaf961e8120b08de238f2c3f" }, { "reference_url": "https://jenkins.io/security/advisory/2017-04-26", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://jenkins.io/security/advisory/2017-04-26" }, { "reference_url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-1000353", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-1000353" }, { "reference_url": "https://www.exploit-db.com/exploits/41965", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.exploit-db.com/exploits/41965" }, { "reference_url": "https://www.oracle.com/security-alerts/cpuapr2022.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Act", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-10-02T03:55:44Z/" } ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "reference_url": "http://www.securityfocus.com/bid/98056", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Act", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-10-02T03:55:44Z/" } ], "url": "http://www.securityfocus.com/bid/98056" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1446114", "reference_id": "1446114", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1446114" }, { "reference_url": "https://www.exploit-db.com/exploits/41965/", "reference_id": "41965", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "Act", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-10-02T03:55:44Z/" } ], "url": "https://www.exploit-db.com/exploits/41965/" }, { "reference_url": "https://blogs.securiteam.com/index.php/archives/3171", "reference_id": "CVE-2017-1000353", "reference_type": "exploit", "scores": [], "url": "https://blogs.securiteam.com/index.php/archives/3171" }, { "reference_url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/java/dos/41965.txt", "reference_id": "CVE-2017-1000353", "reference_type": "exploit", "scores": [], "url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/java/dos/41965.txt" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000353", "reference_id": "CVE-2017-1000353", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000353" }, { "reference_url": "https://github.com/advisories/GHSA-26wc-3wqp-g3rp", "reference_id": "GHSA-26wc-3wqp-g3rp", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-26wc-3wqp-g3rp" } ], "weaknesses": [ { "cwe_id": 502, "name": "Deserialization of Untrusted Data", "description": "The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." }, { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." } ], "exploits": [ { "date_added": "2017-05-05", "description": "CloudBees Jenkins 2.32.1 - Java Deserialization", "required_action": null, "due_date": null, "notes": null, "known_ransomware_campaign_use": false, "source_date_published": "2017-05-05", "exploit_type": "dos", "platform": "java", "source_date_updated": "2017-05-05", "data_source": "Exploit-DB", "source_url": "https://blogs.securiteam.com/index.php/archives/3171" }, { "date_added": null, "description": "An unauthenticated Java object deserialization vulnerability exists\n in the CLI component for Jenkins versions `v2.56` and below.\n\n The `readFrom` method within the `Command` class in the Jenkins\n CLI remoting component deserializes objects received from clients without\n first checking / sanitizing the data. Because of this, a malicious serialized\n object contained within a serialized `SignedObject` can be sent to the Jenkins\n endpoint to achieve code execution on the target.", "required_action": null, "due_date": null, "notes": "Stability:\n - crash-safe\nReliability:\n - unreliable-session\nSideEffects:\n - ioc-in-logs\n", "known_ransomware_campaign_use": false, "source_date_published": "2017-04-26", "exploit_type": null, "platform": "Linux", "source_date_updated": null, "data_source": "Metasploit", "source_url": "https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/http/jenkins_cli_deserialization.rb" }, { "date_added": "2025-10-02", "description": "Jenkins contains a remote code execution vulnerability. This vulnerability that could allowed attackers to transfer a serialized Java SignedObject object to the remoting-based Jenkins CLI, that would be deserialized using a new ObjectInputStream, bypassing the existing blocklist-based protection mechanism.", "required_action": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", "due_date": "2025-10-23", "notes": "https://www.jenkins.io/security/advisory/2017-04-26/ ; https://nvd.nist.gov/vuln/detail/CVE-2017-1000353", "known_ransomware_campaign_use": false, "source_date_published": null, "exploit_type": null, "platform": null, "source_date_updated": null, "data_source": "KEV", "source_url": null } ], "severity_range_score": "8.1 - 10.0", "exploitability": "2.0", "weighted_severity": "9.0", "risk_score": 10.0, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-z5ns-74uq-4uef" }