{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/15056?format=json","vulnerability_id":"VCID-z5ns-74uq-4uef","summary":"Deserialization of Untrusted Data in Jenkins\nAn unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing denylist-based protection mechanism.","aliases":[{"alias":"CVE-2017-1000353"},{"alias":"GHSA-26wc-3wqp-g3rp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52912?format=json","purl":"pkg:maven/org.jenkins-ci.main/jenkins-core@2.46.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.46.2"},{"url":"http://public2.vulnerablecode.io/api/packages/26358?format=json","purl":"pkg:maven/org.jenkins-ci.main/jenkins-core@2.57","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.57"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/26356?format=json","purl":"pkg:maven/org.jenkins-ci.main/jenkins-core@2.46.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-syz5-rzv5-ukhb"},{"vulnerability":"VCID-yq9y-tdnu-2uc3"},{"vulnerability":"VCID-ytyb-zk5y-6ub2"},{"vulnerability":"VCID-z5ns-74uq-4uef"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.46.1"},{"url":"http://public2.vulnerablecode.io/api/packages/60095?format=json","purl":"pkg:maven/org.jenkins-ci.main/jenkins-core@2.50","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4cy9-1z3y-ekba"},{"vulnerability":"VCID-dyka-xcrq-8fds"},{"vulnerability":"VCID-npms-7xaw-mye9"},{"vulnerability":"VCID-s1wm-h4xx-tfh9"},{"vulnerability":"VCID-syz5-rzv5-ukhb"},{"vulnerability":"VCID-vv6x-yj68-cqas"},{"vulnerability":"VCID-yq9y-tdnu-2uc3"},{"vulnerability":"VCID-ytyb-zk5y-6ub2"},{"vulnerability":"VCID-z5ns-74uq-4uef"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.50"},{"url":"http://public2.vulnerablecode.io/api/packages/26357?format=json","purl":"pkg:maven/org.jenkins-ci.main/jenkins-core@2.56","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-syz5-rzv5-ukhb"},{"vulnerability":"VCID-yq9y-tdnu-2uc3"},{"vulnerability":"VCID-ytyb-zk5y-6ub2"},{"vulnerability":"VCID-z5ns-74uq-4uef"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.56"}],"references":[{"reference_url":"http://packetstormsecurity.com/files/159266/Jenkins-2.56-CLI-Deserialization-Code-Execution.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-10-02T03:55:44Z/"}],"url":"http://packetstormsecurity.com/files/159266/Jenkins-2.56-CLI-Deserialization-Code-Execution.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-1000353.json","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-1000353.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-1000353","reference_id":"","reference_type":"","scores":[{"value":"0.94479","scoring_system":"epss","scoring_elements":"0.99999","published_at":"2026-05-14T12:55:00Z"},{"value":"0.94482","scoring_system":"epss","scoring_elements":"0.99999","published_at":"2026-05-12T12:55:00Z"},{"value":"0.94493","scoring_system":"epss","scoring_elements":"1.0","published_at":"2026-04-18T12:55:00Z"},{"value":"0.94508","scoring_system":"epss","scoring_elements":"1.0","published_at":"2026-04-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-1000353"},{"reference_url":"https://github.com/jenkinsci/jenkins","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/jenkinsci/jenkins"},{"reference_url":"https://github.com/jenkinsci/jenkins/commit/36b8285a41eb28333549e8d851f81fd80a184076","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/jenkinsci/jenkins/commit/36b8285a41eb28333549e8d851f81fd80a184076"},{"reference_url":"https://github.com/jenkinsci/jenkins/commit/f237601afd750a0eaaf961e8120b08de238f2c3f","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/jenkinsci/jenkins/commit/f237601afd750a0eaaf961e8120b08de238f2c3f"},{"reference_url":"https://jenkins.io/security/advisory/2017-04-26","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://jenkins.io/security/advisory/2017-04-26"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-1000353","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-1000353"},{"reference_url":"https://www.exploit-db.com/exploits/41965","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.exploit-db.com/exploits/41965"},{"reference_url":"https://www.oracle.com/security-alerts/cpuapr2022.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-10-02T03:55:44Z/"}],"url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"reference_url":"http://www.securityfocus.com/bid/98056","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-10-02T03:55:44Z/"}],"url":"http://www.securityfocus.com/bid/98056"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1446114","reference_id":"1446114","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1446114"},{"reference_url":"https://www.exploit-db.com/exploits/41965/","reference_id":"41965","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-10-02T03:55:44Z/"}],"url":"https://www.exploit-db.com/exploits/41965/"},{"reference_url":"https://blogs.securiteam.com/index.php/archives/3171","reference_id":"CVE-2017-1000353","reference_type":"exploit","scores":[],"url":"https://blogs.securiteam.com/index.php/archives/3171"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/java/dos/41965.txt","reference_id":"CVE-2017-1000353","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/java/dos/41965.txt"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-1000353","reference_id":"CVE-2017-1000353","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-1000353"},{"reference_url":"https://github.com/advisories/GHSA-26wc-3wqp-g3rp","reference_id":"GHSA-26wc-3wqp-g3rp","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-26wc-3wqp-g3rp"}],"weaknesses":[{"cwe_id":502,"name":"Deserialization of Untrusted Data","description":"The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."},{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."}],"exploits":[{"date_added":"2017-05-05","description":"CloudBees Jenkins 2.32.1 - Java Deserialization","required_action":null,"due_date":null,"notes":null,"known_ransomware_campaign_use":false,"source_date_published":"2017-05-05","exploit_type":"dos","platform":"java","source_date_updated":"2017-05-05","data_source":"Exploit-DB","source_url":"https://blogs.securiteam.com/index.php/archives/3171"},{"date_added":null,"description":"An unauthenticated Java object deserialization vulnerability exists\n          in the CLI component for Jenkins versions `v2.56` and below.\n\n          The `readFrom` method within the `Command` class in the Jenkins\n          CLI remoting component deserializes objects received from clients without\n          first checking / sanitizing the data. Because of this, a malicious serialized\n          object contained within a serialized `SignedObject` can be sent to the Jenkins\n          endpoint to achieve code execution on the target.","required_action":null,"due_date":null,"notes":"Stability:\n  - crash-safe\nReliability:\n  - unreliable-session\nSideEffects:\n  - ioc-in-logs\n","known_ransomware_campaign_use":false,"source_date_published":"2017-04-26","exploit_type":null,"platform":"Linux","source_date_updated":null,"data_source":"Metasploit","source_url":"https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/http/jenkins_cli_deserialization.rb"},{"date_added":"2025-10-02","description":"Jenkins contains a remote code execution vulnerability. This vulnerability that could allowed attackers to transfer a serialized Java SignedObject object to the remoting-based Jenkins CLI, that would be deserialized using a new ObjectInputStream, bypassing the existing blocklist-based protection mechanism.","required_action":"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.","due_date":"2025-10-23","notes":"https://www.jenkins.io/security/advisory/2017-04-26/ ; https://nvd.nist.gov/vuln/detail/CVE-2017-1000353","known_ransomware_campaign_use":false,"source_date_published":null,"exploit_type":null,"platform":null,"source_date_updated":null,"data_source":"KEV","source_url":null}],"severity_range_score":"8.1 - 10.0","exploitability":"2.0","weighted_severity":"9.0","risk_score":10.0,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-z5ns-74uq-4uef"}