Miggo Logo
Miggo Vulnerability Database
CVE-2014-3666

CVE-2014-3666: Jenkins allows for Code Execution via Crafted Packet to the CLI

7.5

CVSS Score

Basic Information

CVE ID
CVE-2014-3666
GHSA ID
GHSA-fvfh-8mj3-23xj
EPSS Score
0.75534%
CWE
CWE-94
Published
5/17/2022
Updated
3/13/2025
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
AV:N/AC:L/Au:N/C:P/I:P/A:P
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.main:jenkins-coremaven>= 1.566, < 1.5831.583
org.jenkins-ci.main:jenkins-coremaven< 1.565.31.565.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from improper channel termination in Jenkins' CLI handling. The commit patching CVE-2014-3666 changed these methods' access modifiers from protected to public, enabling proper override behavior from security-hardened remoting library (updated to v2.46). This allowed correct process termination on channel closure, preventing attackers from maintaining malicious connections. The direct correlation between these method visibility changes and the remoting library update in the security fix confirms their role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins ***or* *.*** *n* LTS ***or* *.***.* *llows r*mot* *tt**k*rs to *x**ut* *r*itr*ry *o** vi* * *r**t** p**k*t to t** *LI ***nn*l.

Reasoning

T** vuln*r**ility st*mm** *rom improp*r ***nn*l t*rmin*tion in J*nkins' *LI **n*lin*. T** *ommit p*t**in* `*V*-****-****` ***n*** t**s* m*t*o*s' ****ss mo*i*i*rs *rom prot**t** to pu*li*, *n**lin* prop*r ov*rri** ****vior *rom s**urity-**r**n** r*mot