CloudBees Security Advisory 2015-11-07

This security advisory involves the Jenkins CLI.


CloudBees Product Security has been made aware of a remote code execution vulnerability mountable by anonymous attacker who have access to Jenkins over HTTP or its TCP port.


The [Jenkins CLI]( ) is currently impacted by this issue.

An unprivileged anonymous user could use this flaw to remotely execute code. Anyone with a front facing Jenkins instance (accessible through the internet even through a reverse proxy) is vulnerable to the attack.

All CloudBees Jenkins on-premise installations are vulnerable to this flaw.

Determining Vulnerability



[SECURITY] ( ) provides a Groovy script that will disable CLI communication entirely.

This will disable all CLI communication.


We are currently investigating a permanent resolution to this issue.

Additional Information

This post will be updated as soon as any change in status is available.

For any additional questions please contact CloudBees Support at

The Jenkins Community announcement can be found here: