Moderate severityNVD Advisory· Published Oct 16, 2014· Updated May 6, 2026

CVE-2014-3666

Description

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to execute arbitrary code via a crafted packet to the CLI channel.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.main:jenkins-coreMaven	>= 1.566, < 1.583	1.583
org.jenkins-ci.main:jenkins-coreMaven	< 1.565.3	1.565.3

Affected products

Jenkins/Jenkins2 versions
cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*range: <=1.582
- cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*range: <=1.565.2
Red Hat/Openshift
cpe:2.3:a:redhat:openshift:*:*:*:*:enterprise:*:*:*
Range: <=3.1

Patches

be195b0e1934

[FIXED SECURITY-150]

https://github.com/jenkinsci/jenkinsKohsuke KawaguchiOct 1, 2014via ghsa

commit

3 files changed · +4 −4

core/src/main/java/hudson/Launcher.java+1 −1 modified

@@ -816,7 +816,7 @@ public Channel launchChannel(OutputStream out, ProcessBuilder pb) throws IOExcep
                  * Kill the process when the channel is severed.
                  */
                 @Override
-                protected synchronized void terminate(IOException e) {
+                public synchronized void terminate(IOException e) {
                     super.terminate(e);
                     ProcessTree pt = ProcessTree.get();
                     try {

core/src/main/java/hudson/slaves/Channels.java+2 −2 modified

@@ -73,7 +73,7 @@ public static Channel forProcess(String name, ExecutorService execService, Input
              * Kill the process when the channel is severed.
              */
             @Override
-            protected synchronized void terminate(IOException e) {
+            public synchronized void terminate(IOException e) {
                 super.terminate(e);
                 try {
                     proc.kill();
@@ -109,7 +109,7 @@ public static Channel forProcess(String name, ExecutorService execService, final
              * Kill the process when the channel is severed.
              */
             @Override
-            protected synchronized void terminate(IOException e) {
+            public synchronized void terminate(IOException e) {
                 super.terminate(e);
                 proc.destroy();
                 // the stderr copier should exit by itself

pom.xml+1 −1 modified

@@ -173,7 +173,7 @@ THE SOFTWARE.
       <dependency>
         <groupId>org.jenkins-ci.main</groupId>
         <artifactId>remoting</artifactId>
-        <version>2.32</version>
+        <version>2.46</version>
       </dependency>
 
       <dependency>

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-fvfh-8mj3-23xjghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2014-3666ghsaADVISORY
wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-01nvdVendor AdvisoryWEB
access.redhat.com/errata/RHSA-2016:0070nvdWEB
github.com/jenkinsci/jenkins/commit/be195b0e19343bff6d966029d8eea99b2c039c32ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000