Jenkins Security Advisory 2017-04-26 Description CSRF: Multiple Vulnerabilities (SECURITY-412 through SECURITY-420 / CVE-2017-1000356) Multiple Cross-Site Request Forgery vulnerabilities allowed malicious users to perform several administrative actions by tricking a victim into opening a web page. Actions include restarting Jenkins, scheduling downgrades, installing plugins, and more. CLI: Unauthenticated Remote Code Execution (SECURITY-429 / CVE-2017-1000353) An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java SignedObject object to the remoting-based Jenkins CLI, bypassing the existing blocklist-based protection mechanism. CLI: Login Command Allowed Impersonating Any Jenkins User (SECURITY-466 / CVE-2017-1000354) The command in the remoting-based CLI could store cached credentials, allowing users to impersonate other Jenkins users. XStream: Java Crash When Trying to Instantiate Void/void (SECURITY-503 / CVE-2017-1000355) A vulnerability in the XStream library could crash the Java process when trying to deserialize an XML that instantiates or . Severity SECURITY-412 through SECURITY-420: high SECURITY-429: critical SECURITY-466: high SECURITY-503: medium Affected Versions All Jenkins mainline releases up to and including 2.56 All Jenkins LTS releases up to and including 2.46.1 Fix Jenkins mainline users should update to 2.57 Jenkins LTS users should update to 2.46.2 Credit Independent security researcher for SECURITY-429 Jesse Glick, CloudBees, Inc. for SECURITY-466 Steve Marlowe of Cisco ASIG for multiple vulnerabilities Other Resources Announcement blog post