The bug, CVE-2017-1000353, exists in how Jenkins implements HTTP upload/download requests.

The bug lets an attacker exploit a serialised object in the preamble of commands sent to the CLI. As described by Securiteam, “since Jenkins does not validate the serialised object, any serialise[d] object can be sent.”

The attacker can use the channel to send SignedObject to the CLI. Jenkins deserialises it using a new ObjectInputStream, which the company says bypasses its blacklist-based protection mechanism.

To block it, Cloudbees has added SignedObject to its blacklist.

To test the vulnerability for yourself, the bug report suggests the following:

Create a serialised object whose payload is a command executed by running the payload.jar script;
Change the Python script jenkins_poc1.py to adjust the target target URL, and open your payload file.

Source: Jenkins admin? Get buzzy patching, says Cloudbees