## Jenkins Security Advisory 2017-04-26 ### Description **CSRF: Multiple Vulnerabilities (SECURITY-412 through SECURITY-420 / CVE-2017-1000356)** - Multiple Cross-Site Request Forgery vulnerabilities allowed malicious users to perform several administrative actions by tricking a victim into opening a web page. Actions include restarting Jenkins, scheduling downgrades, installing plugins, and more. ### CLI: Unauthenticated Remote Code Execution (SECURITY-429 / CVE-2017-1000353) - An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java SignedObject object to the remoting-based Jenkins CLI, bypassing the existing blocklist-based protection mechanism. ### CLI: Login Command Allowed Impersonating Any Jenkins User (SECURITY-466 / CVE-2017-1000354) - The `login` command in the remoting-based CLI could store cached credentials, allowing users to impersonate other Jenkins users. ### XStream: Java Crash When Trying to Instantiate Void/void (SECURITY-503 / CVE-2017-1000355) - A vulnerability in the XStream library could crash the Java process when trying to deserialize an XML that instantiates `void` or `Void`. ### Severity - SECURITY-412 through SECURITY-420: **high** - SECURITY-429: **critical** - SECURITY-466: **high** - SECURITY-503: **medium** ### Affected Versions - All Jenkins mainline releases up to and including 2.56 - All Jenkins LTS releases up to and including 2.46.1 ### Fix - Jenkins mainline users should update to 2.57 - Jenkins LTS users should update to 2.46.2 ### Credit - Independent security researcher for SECURITY-429 - Jesse Glick, CloudBees, Inc. for SECURITY-466 - Steve Marlowe of Cisco ASIG for multiple vulnerabilities ### Other Resources - [Announcement blog post](#)