2018-02-15 16:35
2018-02-01 19:03
2018-01-29 20:35
2017-05-10 23:55
2017-04-28 13:03


Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information



Release Package Reason
precise jenkins ignored
precise/esm jenkins DNE
trusty jenkins DNE
vivid/stable-phone-overlay jenkins DNE
vivid/ubuntu-core jenkins DNE
xenial jenkins DNE
yakkety jenkins DNE
zesty jenkins DNE
devel jenkins DNE

Needs Triage

Release Package Reason
upstream jenkins needs-triage