This Metasploit module exploits a vulnerability in Jenkins dynamic routing to bypass the Overall/Read ACL and leverage Groovy metaprogramming to download and execute a malicious JAR file. The ACL bypass gadget is specific to Jenkins versions 2.137 and below and will not work on later versions of Jenkins. Tested against Jenkins 2.137 and Pipeline: Groovy Plugin 2.61.
1fa7a0581a082a2a0c1e14681f05b88994d45c7f8daeb7fbed7b6dacc77b9a72Jenkins plugins Script Security version 1.49, Declarative version 1.3.4, and Groovy version 2.60 suffer from a code execution vulnerability.
1464739307633b75e322eb2e0907ec7933ce2f124fc0c0718f3077cf93613a62
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed