CVE-2017-1000353: Deserialization of Untrusted Data in Jenkins
(updated )
An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java SignedObject object to the Jenkins CLI, that would be deserialized using a new ObjectInputStream, bypassing the existing denylist-based protection mechanism.
References
- github.com/advisories/GHSA-26wc-3wqp-g3rp
- github.com/jenkinsci/jenkins
- github.com/jenkinsci/jenkins/commit/36b8285a41eb28333549e8d851f81fd80a184076
- github.com/jenkinsci/jenkins/commit/f237601afd750a0eaaf961e8120b08de238f2c3f
- jenkins.io/security/advisory/2017-04-26
- nvd.nist.gov/vuln/detail/CVE-2017-1000353
- www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-1000353
- www.exploit-db.com/exploits/41965
- www.oracle.com/security-alerts/cpuapr2022.html
Code Behaviors & Features
Detect and mitigate CVE-2017-1000353 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →