CloudBees Product Security has been made aware of a remote code execution vulnerability mountable by anonymous attacker who have access to Jenkins over HTTP or its TCP port.
The Jenkins CLI is currently impacted by this issue.
An unprivileged anonymous user could use this flaw to remotely execute code. Anyone with a front facing Jenkins instance (accessible through the internet even through a reverse proxy) is vulnerable to the attack.
All Jenkins and CloudBees Jenkins on-premise installations are vulnerable to this flaw.
SECURITY-218 provides a Groovy script that will disable CLI communication entirely.
This will disable all CLI communication.
- This blog post will be updated as soon as any change in status is available.
- For any additional questions please contact CloudBees Support at http://support.cloudbees.com.
- The Jenkins Community announcement can be found at https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli