Jenkins Security Advisory 2015-11-06
This security advisory involves the Jenkins CLI.
CloudBees Product Security has been made aware of a remote code execution vulnerability mountable by anonymous attacker who have access to Jenkins over HTTP or its TCP port.
The [Jenkins CLI](https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+CLI) is currently impacted by this issue.
An unprivileged anonymous user could use this flaw to remotely execute code. Anyone with a front facing Jenkins instance (accessible through the internet even through a reverse proxy) is vulnerable to the attack.
All CloudBees Jenkins on-premise installations are vulnerable to this flaw.
[SECURITY] (https://github.com/jenkinsci-cert/SECURITY-218) provides a Groovy script that will disable CLI communication entirely.
This will disable all CLI communication.
We are currently investigating a permanent resolution to this issue.
This post will be updated as soon as any change in status is available.
For any additional questions please contact CloudBees Support at http://support.cloudbees.com
The Jenkins Community announcement can be found here: https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli