Cyber Resilience

CVE-2017-1000353

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 29 January 2018

Published
29 January 2018
Modified
05 November 2025
KEV Added
02 October 2025
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9448 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2017-1000353 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Jenkins Jenkins. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-7 (Least Functionality).

Deeper analysis

Jenkins versions 2.56 and earlier, along with 2.46.1 LTS and earlier, contain an unauthenticated remote code execution vulnerability in the Jenkins CLI component. The flaw stems from unsafe deserialization of a serialized Java SignedObject sent over the remoting protocol, which is processed via a fresh ObjectInputStream that bypasses the existing blacklist protections for untrusted data, corresponding to CWE-502.

An attacker with network access to the Jenkins CLI endpoint can exploit this by transmitting a crafted SignedObject payload. Successful exploitation grants the ability to execute arbitrary code on the server with no authentication required, leading to full compromise of confidentiality, integrity, and availability as reflected in the CVSS 9.8 score.

The Jenkins security advisory recommends mitigating the issue by adding SignedObject to the deserialization blacklist, backporting the HTTP-based CLI protocol introduced in version 2.54 to LTS release 2.46.2, and deprecating the Java serialization-based CLI protocol while disabling it by default. Public references including exploit code on Exploit-DB and Packet Storm indicate that proof-of-concept attacks targeting this deserialization path have been published.

EU & UK References

Vulnerability details

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that…

more

would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.

CWE(s)
KEV Date Added
02 October 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

jenkins
jenkins
≤ 2.56 · ≤ 2.46.1
oracle
communications cloud native core automated test suite
1.9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces authentication and access policy on the Jenkins CLI endpoint so that unauthenticated serialized payloads cannot reach the deserializer.

prevent

Disables the remoting/Java-serialization CLI protocol by default and restricts the system to the safer HTTP-based CLI, directly eliminating the vulnerable code path.

prevent

Requires validation or filtering of untrusted input before deserialization, which would have blocked the crafted SignedObject that bypassed the existing blacklist.

References