Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java SignedObject object to the Jenkins CLI, that would be deserialized using a new ObjectInputStream, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding SignedObject to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.
CVE-2017-1000353
Score elevated to 9.8 because this CVE is listed on the CISA Known Exploited Vulnerabilities catalog (added 2025-10-02), indicating real-world exploitation has been confirmed by US federal agencies. NVD baseline CVSS 9.8 retained for reference. Confidence: HIGH.
- 8 internet-exposed hosts are running an affected version right now
- Actively exploited in the wild (CISA-KEV)
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
8 internet-exposed hosts are running an affected version of CVE-2017-1000353 right now.
EchelonGraph is the only CVE feed that fuses live vulnerability intelligence with its own live internet-exposure radar — so you see not just that a CVE is exploited, but how much of the internet is exposed to it right now.
- CVSS v3
- 9.8
- EG Score
- 9.8(high)
- EPSS
- 99.9%
- KEV
- ⚠ Exploited
Published
January 29, 2018
Last Modified
November 5, 2025
Advisory Details (3)
Auto-updated Jun 1, 2026CloudBees Jenkins 2.32.1 - Java Deserialization - Java dos Exploit
https://www.exploit-db.com/exploits/41965/Affected Packages
(1 across 1 ecosystem)
Maven(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| org.jenkins-ci.main:jenkins-core | 1.396 ... 2.9 (388 versions) | 2.46.2 | — |
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 47× in last 7d / 202× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
Showing the most recent 100 of 285 total refreshes for this CVE.
- 2026-07-11 18:36 UTCEG score recompute
- 2026-07-11 14:44 UTCEG score recompute
- 2026-07-11 10:53 UTCEG score recompute
- 2026-07-11 08:24 UTCEPSS rescore
- 2026-07-11 07:01 UTCEG score recompute
- 2026-07-11 03:09 UTCEG score recompute
- 2026-07-10 23:18 UTCEG score recompute
- 2026-07-10 19:25 UTCEG score recompute
- 2026-07-10 17:52 UTCCISA KEV update
- 2026-07-10 15:33 UTCEG score recompute
- 2026-07-10 11:40 UTCEG score recompute
- 2026-07-10 07:43 UTCEG score recompute
- 2026-07-10 03:51 UTCEG score recompute
- 2026-07-09 23:59 UTCEG score recompute
- 2026-07-09 20:06 UTCEG score recompute
- 2026-07-09 16:14 UTCEG score recompute
- 2026-07-09 12:20 UTCEG score recompute
- 2026-07-09 08:28 UTCEG score recompute
- 2026-07-09 04:35 UTCEG score recompute
- 2026-07-09 00:42 UTCEG score recompute
- 2026-07-08 20:49 UTCEG score recompute
- 2026-07-08 16:57 UTCEG score recompute
- 2026-07-08 13:05 UTCEG score recompute
- 2026-07-08 09:13 UTCEG score recompute
- 2026-07-08 05:21 UTCEG score recompute
Show 75 moreShow fewer
- 2026-07-08 01:28 UTCEG score recompute
- 2026-07-07 21:36 UTCEG score recompute
- 2026-07-07 19:01 UTCCISA KEV update
- 2026-07-07 17:45 UTCEG score recompute
- 2026-07-07 17:16 UTCCISA KEV update
- 2026-07-07 13:51 UTCEG score recompute
- 2026-07-07 10:00 UTCEG score recompute
- 2026-07-07 06:06 UTCEG score recompute
- 2026-07-07 02:13 UTCEG score recompute
- 2026-07-06 22:19 UTCEG score recompute
- 2026-07-06 18:26 UTCEG score recompute
- 2026-07-06 14:32 UTCEG score recompute
- 2026-07-06 10:39 UTCEG score recompute
- 2026-07-06 06:45 UTCEG score recompute
- 2026-07-06 02:54 UTCEG score recompute
- 2026-07-05 23:01 UTCEG score recompute
- 2026-07-05 19:08 UTCEG score recompute
- 2026-07-05 15:16 UTCEG score recompute
- 2026-07-05 11:23 UTCEG score recompute
- 2026-07-05 07:31 UTCEG score recompute
- 2026-07-05 03:40 UTCEG score recompute
- 2026-07-04 23:47 UTCEG score recompute
- 2026-07-04 19:55 UTCEG score recompute
- 2026-07-04 16:03 UTCEG score recompute
- 2026-07-04 12:12 UTCEG score recompute
- 2026-07-04 08:20 UTCEG score recompute
- 2026-07-04 04:26 UTCEG score recompute
- 2026-07-04 00:33 UTCEG score recompute
- 2026-07-03 20:40 UTCEG score recompute
- 2026-07-03 16:48 UTCEG score recompute
- 2026-07-03 12:56 UTCEG score recompute
- 2026-07-03 09:05 UTCEG score recompute
- 2026-07-03 05:13 UTCEG score recompute
- 2026-07-03 01:21 UTCEG score recompute
- 2026-07-02 21:29 UTCEG score recompute
- 2026-07-02 17:37 UTCEG score recompute
- 2026-07-02 13:42 UTCEG score recompute
- 2026-07-02 09:50 UTCEG score recompute
- 2026-07-02 05:59 UTCEG score recompute
- 2026-07-02 02:06 UTCEG score recompute
- 2026-07-01 22:15 UTCEG score recompute
- 2026-07-01 19:16 UTCCISA KEV update
- 2026-07-01 18:21 UTCEG score recompute
- 2026-07-01 14:30 UTCEG score recompute
- 2026-07-01 10:38 UTCEG score recompute
- 2026-07-01 06:46 UTCEG score recompute
- 2026-07-01 02:54 UTCEG score recompute
- 2026-06-30 23:02 UTCEG score recompute
- 2026-06-30 19:10 UTCEG score recompute
- 2026-06-30 15:19 UTCEG score recompute
- 2026-06-30 11:26 UTCEG score recompute
- 2026-06-30 07:34 UTCEG score recompute
- 2026-06-30 03:40 UTCEG score recompute
- 2026-06-29 23:48 UTCEG score recompute
- 2026-06-29 19:56 UTCEG score recompute
- 2026-06-29 19:12 UTCCISA KEV update
- 2026-06-29 16:04 UTCEG score recompute
- 2026-06-29 12:11 UTCEG score recompute
- 2026-06-29 08:19 UTCEG score recompute
- 2026-06-29 04:27 UTCEG score recompute
- 2026-06-29 00:32 UTCEG score recompute
- 2026-06-28 20:41 UTCEG score recompute
- 2026-06-28 16:49 UTCEG score recompute
- 2026-06-28 12:57 UTCEG score recompute
- 2026-06-28 09:05 UTCEG score recompute
- 2026-06-28 05:12 UTCEG score recompute
- 2026-06-28 01:21 UTCEG score recompute
- 2026-06-27 21:29 UTCEG score recompute
- 2026-06-27 17:37 UTCEG score recompute
- 2026-06-27 13:46 UTCEG score recompute
- 2026-06-27 09:54 UTCEG score recompute
- 2026-06-27 06:03 UTCEG score recompute
- 2026-06-27 02:11 UTCEG score recompute
- 2026-06-26 22:19 UTCEG score recompute
- 2026-06-26 18:28 UTCEG score recompute
Publicly available exploits
(4 references)Working exploit code is in the public domain (1 Metasploit module) (2 GitHub PoCs) (1 Exploit-DB entry). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- Open source ↗GitHub PoCr00t4dm/Jenkins-CVE-2017-1000353First seen Oct 12, 2022
- GitHub PoCvulhub/CVE-2017-1000353First seen Apr 12, 2019
jenkins CVE-2017-1000353 POC
Open source ↗ - Exploit-DBEDB-41965First seen May 5, 2017
CloudBees Jenkins 2.32.1 - Java Deserialization
Open source ↗ - Metasploitexploit/linux/http/jenkins_cli_deserialization✓ verifiedFirst seen Apr 26, 2017
Jenkins CLI Deserialization
Open source ↗
Related CVEs(same CWE)
Same CWE
10 shownCWE-502
- CVE-2017-20208EG 9.8CRITICAL
- CVE-2017-20207EG 9.8CRITICAL
- CVE-2017-20206EG 9.8CRITICAL
- CVE-2017-20189EG 9.8CRITICAL
- CVE-2017-10992EG 9.8EPSS 95%CRITICAL
- CVE-2013-4521EG 9.8EPSS 90%CRITICAL
- CVE-2014-1860EG 9.8CRITICAL
- CVE-2016-1000027EG 9.8EPSS 98%CRITICAL
- CVE-2014-3699EG 9.8CRITICAL
- CVE-2017-18605EG 9.8CRITICAL
Frequently asked(6)
What is CVE-2017-1000353?
When was CVE-2017-1000353 disclosed?
Is CVE-2017-1000353 actively exploited?
What is the CVSS score of CVE-2017-1000353?
Which products are affected by CVE-2017-1000353?
How do I remediate CVE-2017-1000353?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2017-1000353
Is Your Infrastructure Affected by CVE-2017-1000353?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.