Jenkins Remote CLI Vulnerability

Written by: James Brown

SECURITY 218

CloudBees Product Security has been made aware of a remote code execution vulnerability mountable by anonymous attacker who have access to Jenkins over HTTP or its TCP port.

Impact

The Jenkins CLI is currently impacted by this issue.

An unprivileged anonymous user could use this flaw to remotely execute code. Anyone with a front facing Jenkins instance (accessible through the internet even through a reverse proxy) is vulnerable to the attack.

All Jenkins and CloudBees Jenkins on-premise installations are vulnerable to this flaw.

Resolution​

https://cloudbees.com/jenkins-security-advisory-2015-11-06

Mitigation

SECURITY-218 provides a Groovy script that will disable CLI communication entirely.

This will disable all CLI communication.

Additional Information

Stay up to date

We'll never share your email address and you can opt out at any time, we promise.