This security advisory involves the Jenkins CLI.
SECURITY 218
CloudBees Product Security has been made aware of a remote code execution vulnerability mountable by anonymous attacker who have access to Jenkins over HTTP or its TCP port.
Impact
The [Jenkins CLI](https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+CLI ) is currently impacted by this issue.
An unprivileged anonymous user could use this flaw to remotely execute code. Anyone with a front facing Jenkins instance (accessible through the internet even through a reverse proxy) is vulnerable to the attack.
All CloudBees Jenkins on-premise installations are vulnerable to this flaw.
Determining Vulnerability
TBD
Mitigation
[SECURITY] (https://github.com/jenkinsci-cert/SECURITY-218 ) provides a Groovy script that will disable CLI communication entirely.
This will disable all CLI communication.
Resolution
We are currently investigating a permanent resolution to this issue.
Additional Information
This post will be updated as soon as any change in status is available.
For any additional questions please contact CloudBees Support at http://support.cloudbees.com
The Jenkins Community announcement can be found here: https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli