🔴 CVE-2017-1000353

Jenkins automation servers prior to version 2.56 (and 2.46.1 LTS) contain an unauthenticated remote code execution vulnerability through the CLI interface via Java deserialization. This vulnerability allows complete server compromise without any user interaction and has active exploitation documented by CISA KEV.

← Back to Overview
HIGH_RISK
Risk Level
9.8
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 — Exploit Public-Facing Application
ATT&CK Technique
VERY_HIGH
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2018-01-29

Added to CISA KEV: 2025-10-02 2803 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2017-1000353 is a critical remote code execution (RCE) vulnerability that primarily affected Jenkins, a widely used open-source automation server [1].

Attack Method and Exploitation Requirements
  • Method: The vulnerability involves insecure Java deserialization. Attackers can send a malicious, serialized Java `SignedObject` to the Jenkins Command Line Interface (CLI) [2].
  • Bypass: This payload is deserialized using a new `ObjectInputStream`, which effectively bypasses existing blacklist-based protection mechanisms that Jenkins had in place at the time [1].
  • Requirements:
* Network vs. Local: This is a remote vulnerability; it does not require local access to the server [5]. * Authentication: It is an unauthenticated vulnerability, meaning an attacker does not need valid credentials to execute the attack [2]. * User Interaction: No user interaction is required for successful exploitation.
Impact and Access
Successful exploitation provides an attacker with Remote Code Execution (RCE) capabilities. This allows the attacker to execute arbitrary commands on the underlying server with the privileges of the Jenkins process, typically leading to a full system compromise [3].
Exploitation in the Wild and Availability
  • Exploit Availability: Proof-of-concept (PoC) code and exploit modules have been publicly available since shortly after the vulnerability's disclosure in 2017 [4].
  • Status: The vulnerability is included in the CISA Known Exploited Vulnerabilities (KEV) Catalog, confirming that it has been actively exploited in the wild [1]. While it has been used in various campaigns, it is broadly recognized as a high-risk entry point for attackers seeking to gain initial access to CI/CD pipelines.
Affected Versions and Mitigation
  • Affected Versions:
* Jenkins versions up to and including 2.56. * Jenkins LTS (Long Term Support) versions up to and including 2.46.1 [1].
  • Mitigation: The primary mitigation is to upgrade to a patched version of Jenkins. Organizations using legacy versions of Jenkins are strongly advised to update to the latest available releases to eliminate this and other subsequent security flaws.

Sources

  1. CVE-2017-1000353 : Jenkins versions 2.56 and earlier as well as 2.46.1 ...

    Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized…

  2. CVE-2017-1000353 Detail - NVD

    An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI. ... Secure .gov websites use HTTPS A lock () or https:// means you've safely connected to the .gov website. Share sensitive information only on official, s…

  3. CVE-2017-1000353: Jenkins Remote Code Execution Vulnerability

    Learn about CVE-2017-1000353, a critical vulnerability in Jenkins allowing remote code execution. Find out how to mitigate the risk and secure your systems. Jenkins versions prior to 2.56 and 2.46.1 LTS and earlier are susceptible to a remote code execution vulnerability.Jenkins 2.46.1 LTS and earli…

  4. jenkins CVE-2017-1000353 POC - GitHub

    Other Java versions may not work properly for payload generation and exploitation. Download CVE-2017-1000353-SNAPSHOT-all.jar. ... It has been successfully tested with openjdk:8u292. Other Java versions may not work properly for payload generation and exploitation. How to generate the payload jenkin…

  5. CVE-2017-1000353 | Critical Vulnerability in Jenkins and Oracle ...

    Critical unauthenticated remote code execution vulnerability in Jenkins and Oracle products. Immediate patching required to mitigate risks. ... CVE-2017-1000353 is a critical unauthenticated remote code execution vulnerability affecting Jenkins and Oracle products. Organizations must patch immediate…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed