一、 漏洞 CVE-2017-1000353 基础信息
漏洞标题
N/A
来源:AIGC 神龙大模型
漏洞描述信息
"Jenkins版本2.56及更早版本,以及2.46.1 LTS及更早版本是受未授权远程代码执行漏洞影响的。未授权远程代码执行漏洞允许攻击者将序列化的Java `SignedObject`对象传输到Jenkins CLI,该对象将通过新的`ObjectInputStream`进行解码,绕过现有的基于白名单的防护机制。我们通过将`SignedObject`添加到白名单来修复这个问题。我们还将从Jenkins 2.54 版本回退到 LTS 2.46.2 版本的新的HTTP CLI协议,并废除基于远程执行(即Java序列化)的CLI协议,默认禁用它。"
来源:AIGC 神龙大模型
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
来源:AIGC 神龙大模型
漏洞类别
N/A
来源:AIGC 神龙大模型
漏洞标题
N/A
来源:美国国家漏洞数据库 NVD
漏洞描述信息
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.
来源:美国国家漏洞数据库 NVD
CVSS信息
N/A
来源:美国国家漏洞数据库 NVD
漏洞类别
N/A
来源:美国国家漏洞数据库 NVD
漏洞标题
CloudBees Jenkins 代码问题漏洞
来源:中国国家信息安全漏洞库 CNNVD
漏洞描述信息
CloudBees Jenkins是美国CloudBees公司的一款基于Java开发的开源的、可持续集成的自动化服务器,它主要用于监控持续的软件版本发布/测试项目和一些定时执行的任务。LTS(Long-Term Support)是CloudBees Jenkins的一个长期支持版本。 CloudBees Jenkins 2.56及之前的版本和2.46.1 LTS及之前的版本中存在远程代码执行漏洞。远程攻击者可通过向Jenkins CLI传递序列化的Java ‘SignedObject’对象利用该漏洞绕过基
来源:中国国家信息安全漏洞库 CNNVD
CVSS信息
N/A
来源:中国国家信息安全漏洞库 CNNVD
漏洞类别
代码问题
来源:中国国家信息安全漏洞库 CNNVD
二、漏洞 CVE-2017-1000353 的公开POC
# POC 描述 源链接 神龙链接
1 jenkins CVE-2017-1000353 POC https://github.com/vulhub/CVE-2017-1000353 POC详情
2 None https://github.com/r00t4dm/Jenkins-CVE-2017-1000353 POC详情
3 Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default. https://github.com/projectdiscovery/nuclei-templates/blob/main/code/cves/2017/CVE-2017-1000353.yaml POC详情
4 None https://github.com/Threekiii/Awesome-POC/blob/master/%E4%B8%AD%E9%97%B4%E4%BB%B6%E6%BC%8F%E6%B4%9E/Jenkins-CI%20%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%20CVE-2017-1000353.md POC详情
5 https://github.com/vulhub/vulhub/blob/master/jenkins/CVE-2017-1000353/README.md POC详情
三、漏洞 CVE-2017-1000353 的情报信息