Jenkins Security Advisory 2016-11-16

This advisory announces the fix for a previously disclosed zero-day vulnerability in Jenkins.


Remote code execution vulnerability in remoting module

SECURITY-360 / CVE-2016-9299

An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java object to the Jenkins CLI, making Jenkins connect to an attacker-controlled LDAP server, which in turn can send a serialized payload leading to code execution, bypassing existing protection mechanisms.


  • SECURITY-360 is considered critical as it allows unprivileged attackers to execute arbitrary code.

Affected versions

  • All Jenkins main line releases up to and including 2.31

  • All Jenkins LTS releases up to and including 2.19.2


  • Jenkins main line users should update to 2.32

  • Jenkins LTS users should update to 2.19.3

These versions include fixes to all the vulnerabilities described above. All prior versions are affected by these vulnerabilities.


As part of this fix, a number of other so-called "gadgets" were reviewed and are now also being prohibited. We tracked this activity as SECURITY-317.

Other resources