Unauthenticated remote code execution vulnerability in Jenkins
2,396 views
Skip to first unread message
Daniel Beck
Nov 11, 2016, 8:51:08 AM11/11/16
to Jenkins Advisories
We have received a report of a possible unauthenticated remote code execution vulnerability in Jenkins (all versions).
We strongly advise anyone running a Jenkins instance on a public network disable the CLI for now.
As this uses the same attack vector as SECURITY-218, you can reuse the script and instructions published in this repository:
https://github.com/jenkinsci-cert/SECURITY-218
I will update this thread when we have more information.
We strongly advise anyone running a Jenkins instance on a public network disable the CLI for now.
As this uses the same attack vector as SECURITY-218, you can reuse the script and instructions published in this repository:
https://github.com/jenkinsci-cert/SECURITY-218
I will update this thread when we have more information.
Daniel Beck
Nov 11, 2016, 3:29:53 PM11/11/16
to jenkinsci-...@googlegroups.com
We have since been able to confirm the vulnerability. It does indeed work as reported, so all Jenkins administrators are advised to secure their instances as described in the previous message.
We are currently preparing out-of-sequence LTS and weekly releases for next Wednesday, November 16, addressing this vulnerability.
We are currently preparing out-of-sequence LTS and weekly releases for next Wednesday, November 16, addressing this vulnerability.
Reply all
Reply to author
Forward
0 new messages