Jenkins Vulnerability,jenkins security vulnerability,CVE-2017-1000356, CVE- 2017-1000353, CVE-2017-1000354, CVE-2017-1000355

On April 26, 2017, software integration platform Jenkins official issued a security notice, including the update repair, repair a number of security vulnerabilities (CVE-2017-1000356, CVE- 2017-1000353, CVE-2017-1000354, CVE-2017-1000355).

A brief description of the vulnerability


Contains multiple CSRF vulnerabilities that can cause Jenkins to restart immediately or delay, remove all configured update sites, install and load any plugins available on the configured update site, change the Jenkins system, security and tool configuration, or create a new agent Wait.


The vulnerability could allow an attacker to override the code remotely and transfer the serialized Java SignedObject object to the remoting-based Jenkins CLI, using the new deserialize ObjectInputStream to bypass the existing blacklist-based protection mechanism.


The remote CLI stores the encrypted login information of the previously authenticated user in a cache file that can be used to validate further commands. Users who have created secret permissions at Jenkins can use this vulnerability to impersonate any other Jenkins users under the same instance.


Jenkins uses the XStream library to serialize and deserialize XML. Its maintainers have recently released a security hole, any can provide Jenkins and use XStream users can make the Java process crash. In Jenkins, this usually applies to users who have permission to create or configure a project (job), view, or proxy.

For specific vulnerability information , please refer to the following link:

Affected version

Jenkins Version <= 2.56

Jenkins LTS Version <= 2.46.1

Unaffected version

Jenkins Version 2.57

Jenkins LTS Version 2.46.2

To circumvent the program

Jenkins official has provided a new version to fix the above loopholes, please affected users as soon as possible to upgrade to the new version, download the link as follows:

Reference link:

The post Jenkins multiple Vulnerability appeared first on Penetration Testing in Linux.


Deixe um comentário

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do

Você está comentando utilizando sua conta Sair / Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair / Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair / Alterar )

Foto do Google+

Você está comentando utilizando sua conta Google+. Sair / Alterar )

Conectando a %s