-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2017-1000353 - Jenkins Unauthenticated Remote Code Execution #11185
Comments
/bounty $50 |
|
/attempt #11185
|
/attempt #11185
|
💡 @hnd3884 submitted a pull request that claims the bounty. You can visit your bounty board to reward. |
@aybanda: Reminder that in 4 days the bounty will become up for grabs, so please submit a pull request before then 🙏 |
🎉🎈 @hnd3884 has been awarded $50! 🎈🎊 |
Is there an existing template for this?
Template requests
Description:
Jenkins versions 2.56 and earlier, as well as 2.46.1 LTS and earlier, are vulnerable to an unauthenticated remote code execution. The vulnerability arises from attackers being able to transfer a serialized Java SignedObject object to the Jenkins CLI, which is then deserialized using a new ObjectInputStream. This deserialization bypasses the existing blacklist-based protection mechanism. To address this, SignedObject has been added to the blacklist. Further, the new HTTP CLI protocol from Jenkins 2.54 has been backported to LTS 2.46.2, and the remoting-based (Java serialization) CLI protocol has been deprecated and disabled by default.
Severity:
Critical (CVSS: 9.8, Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
EPSS:
PoCs:
Weaknesses:
Vulnerable CPE:
OSS:
Anything else?
No response
The text was updated successfully, but these errors were encountered: