Jenkins < 2.138.4 LTS / 2.150.1 LTS / 2.154 Multiple Vulnerabilities - Nessus
Critical Plugin ID: 119500This page contains detailed information about the Jenkins < 2.138.4 LTS / 2.150.1 LTS / 2.154 Multiple Vulnerabilities Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.
Plugin Overview
ID: 119500
Name: Jenkins < 2.138.4 LTS / 2.150.1 LTS / 2.154 Multiple Vulnerabilities
Filename: jenkins_2_154.nasl
Vulnerability Published: 2018-12-05
This Plugin Published: 2018-12-07
Last Modification Time: 2022-04-11
Plugin Version: 1.10
Plugin Type: combined
Plugin Family: CGI abuses
Dependencies:
jenkins_detect.nasl, jenkins_nix_installed.nbin, jenkins_win_installed.nbin, macosx_jenkins_installed.nbin
Required KB Items [?]: installed_sw/Jenkins
Vulnerability Information
Severity: Critical
Vulnerability Published: 2018-12-05
Patch Published: 2018-12-05
CVE [?]: CVE-2018-1000861, CVE-2018-1000862, CVE-2018-1000863, CVE-2018-1000864
CPE [?]: cpe:/a:cloudbees:jenkins
Synopsis
A job scheduling and management system hosted on the remote web server is affected by multiple vulnerabilities.
Description
The version of Jenkins running on the remote web server is prior to 2.154 or is a version of Jenkins LTS prior to 2.138.4 or 2.150.1. It is, therefore, affected by multiple vulnerabilities:
- A command execution vulnerability exists in the Stapler web framework used in Jenkins due to certain methods being invoked via crafted URLs. An unauthenticated, remote attacker can exploit this to invoke methods never intended to be invoked in this way, which could potentially lead to command execution.
- A denial of service (DoS) vulnerability exists in Jenkins due to a forced migration of user records. An unauthenticated, remote attacker can exploit this issue, via submitting a crafted username to Jenkins login, which could potentially prevent valid users from being able to log in.
- An arbitrary file read vulnerability exists in Jenkins due to the workspace browser following symlinks outside the workspace. An attacker could exploit this to read arbitrary files outside of the workspace and disclose sensitive information.
- A potential denial of service (DoS) vulnerability exists in Jenkins due to an error in cron expression form validation. An attacker can exploit this issue, via a crafted cron expression, to cause the application to stop responding.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Upgrade Jenkins to version 2.154 or later, Jenkins LTS to version 2.138.4, 2.150.1 or later.
Public Exploits
Target Network Port(s): N/A
Target Asset(s): N/A
Exploit Available: True (Metasploit Framework, GitHub)
Exploit Ease: Exploits are available
Here's the list of publicly known exploits and PoCs for verifying the Jenkins < 2.138.4 LTS / 2.150.1 LTS / 2.154 Multiple Vulnerabilities vulnerability:
- Metasploit: exploit/multi/http/jenkins_metaprogramming
[Jenkins ACL Bypass and Metaprogramming RCE] - GitHub: https://github.com/0ps/pocassistdb
[CVE-2018-1000861] - GitHub: https://github.com/Mr-xn/Penetration_Testing_POC
[CVE-2018-1000861] - GitHub: https://github.com/SexyBeast233/SecBooks
[CVE-2018-1000861] - GitHub: https://github.com/Zompire/cc_talk_2021
[CVE-2018-1000861] - GitHub: https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc
[CVE-2018-1000861] - GitHub: https://github.com/deadbits/yara-rules
[CVE-2018-1000861] - GitHub: https://github.com/glithc/yara-detection
[CVE-2018-1000861] - GitHub: https://github.com/gobysec/Goby
[CVE-2018-1000861] - GitHub: https://github.com/gquere/pwn_jenkins
[CVE-2018-1000861] - GitHub: https://github.com/jiangsir404/POC-S
[CVE-2018-1000861] - GitHub: https://github.com/jweny/pocassistdb
[CVE-2018-1000861] - GitHub: https://github.com/koutto/jok3r-pocs
[CVE-2018-1000861] - GitHub: https://github.com/orangetw/awesome-jenkins-rce-2019
[CVE-2018-1000861] - GitHub: https://github.com/veo/vscan
[CVE-2018-1000861] - GitHub: https://github.com/whoadmin/pocs
[CVE-2018-1000861] - GitHub: https://github.com/woods-sega/woodswiki
[CVE-2018-1000861] - GitHub: https://github.com/xDro1d/CVE-2018-1000861
[CVE-2018-1000861: Jenkins远程代码执行] - GitHub: https://github.com/1NTheKut/CVE-2019-1003000_RCE-DETECTION
[CVE-2018-1000861: A C# module to detect if a Jenkins server is vulnerable to the RCE vulnerability ...]
Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.
WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.
Risk Information
CVSS Score Source [?]: CVE-2018-1000861
CVSS V2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:OF/RC:C
| CVSS Base Score: | 10.0 (High) |
| Impact Subscore: | 10.0 |
| Exploitability Subscore: | 10.0 |
| CVSS Temporal Score: | 8.7 (High) |
| CVSS Environmental Score: | NA (None) |
| Modified Impact Subscore: | NA |
| Overall CVSS Score: | 8.7 (High) |
| CVSS Base Score: | 9.8 (Critical) |
| Impact Subscore: | 5.9 |
| Exploitability Subscore: | 3.9 |
| CVSS Temporal Score: | 9.4 (Critical) |
| CVSS Environmental Score: | NA (None) |
| Modified Impact Subscore: | NA |
| Overall CVSS Score: | 9.4 (Critical) |
Go back to menu.
Plugin Source
This is the jenkins_2_154.nasl nessus plugin source code. This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(119500);
script_version("1.10");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id(
"CVE-2018-1000861",
"CVE-2018-1000862",
"CVE-2018-1000863",
"CVE-2018-1000864"
);
script_xref(name:"TRA", value:"TRA-2018-43");
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/08/10");
script_name(english:"Jenkins < 2.138.4 LTS / 2.150.1 LTS / 2.154 Multiple Vulnerabilities");
script_set_attribute(attribute:"synopsis", value:
"A job scheduling and management system hosted on the remote web server
is affected by multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The version of Jenkins running on the remote web server is prior to
2.154 or is a version of Jenkins LTS prior to 2.138.4 or 2.150.1. It is,
therefore, affected by multiple vulnerabilities:
- A command execution vulnerability exists in the Stapler
web framework used in Jenkins due to certain methods
being invoked via crafted URLs. An unauthenticated,
remote attacker can exploit this to invoke methods
never intended to be invoked in this way, which could
potentially lead to command execution.
- A denial of service (DoS) vulnerability exists in
Jenkins due to a forced migration of user records.
An unauthenticated, remote attacker can exploit
this issue, via submitting a crafted username to
Jenkins login, which could potentially prevent
valid users from being able to log in.
- An arbitrary file read vulnerability exists in
Jenkins due to the workspace browser following
symlinks outside the workspace. An attacker
could exploit this to read arbitrary files
outside of the workspace and disclose sensitive
information.
- A potential denial of service (DoS) vulnerability
exists in Jenkins due to an error in cron expression
form validation. An attacker can exploit this issue,
via a crafted cron expression, to cause the application
to stop responding.
Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.");
script_set_attribute(attribute:"see_also", value:"https://jenkins.io/security/advisory/2018-12-05/");
script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2018-43");
script_set_attribute(attribute:"solution", value:
"Upgrade Jenkins to version 2.154 or later, Jenkins LTS to version
2.138.4, 2.150.1 or later.");
script_set_attribute(attribute:"agent", value:"all");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-1000861");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Jenkins ACL Bypass and Metaprogramming RCE');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2018/12/05");
script_set_attribute(attribute:"patch_publication_date", value:"2018/12/05");
script_set_attribute(attribute:"plugin_publication_date", value:"2018/12/07");
script_set_attribute(attribute:"plugin_type", value:"combined");
script_set_attribute(attribute:"cpe", value:"cpe:/a:cloudbees:jenkins");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("jenkins_detect.nasl", "jenkins_win_installed.nbin", "jenkins_nix_installed.nbin", "macosx_jenkins_installed.nbin");
script_require_keys("installed_sw/Jenkins");
exit(0);
}
include('vcf.inc');
include('vcf_extras.inc');
var app_info = vcf::combined_get_app_info(app:'Jenkins');
var constraints = [
{ 'fixed_version' : '2.154', 'fixed_display' : '2.138.4 LTS / 2.150.1 LTS / 2.154', 'edition' : 'Open Source' },
{ 'fixed_version' : '2.138.4', 'fixed_display' : '2.138.4 LTS / 2.150.1 LTS / 2.154', 'edition' : 'Open Source LTS' }
];
vcf::jenkins::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
The latest version of this script can be found in these locations depending on your platform:
- Linux / Unix:
/opt/nessus/lib/nessus/plugins/jenkins_2_154.nasl - Windows:
C:\ProgramData\Tenable\Nessus\nessus\plugins\jenkins_2_154.nasl - Mac OS X:
/Library/Nessus/run/lib/nessus/plugins/jenkins_2_154.nasl
Go back to menu.
How to Run
Here is how to run the Jenkins < 2.138.4 LTS / 2.150.1 LTS / 2.154 Multiple Vulnerabilities as a standalone plugin via the Nessus web user interface (https://localhost:8834/):
- Click to start a New Scan.
- Select Advanced Scan.
- Navigate to the Plugins tab.
- On the top right corner click to Disable All plugins.
- On the left side table select CGI abuses plugin family.
- On the right side table select Jenkins < 2.138.4 LTS / 2.150.1 LTS / 2.154 Multiple Vulnerabilities plugin ID 119500.
- Specify the target on the Settings tab and click to Save the scan.
- Run the scan.
Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.
Basic usage:
/opt/nessus/bin/nasl jenkins_2_154.nasl -t <IP/HOST>Run the plugin with audit trail message on the console:
/opt/nessus/bin/nasl -a jenkins_2_154.nasl -t <IP/HOST>Run the plugin with trace script execution written to the console (useful for debugging):
/opt/nessus/bin/nasl -T - jenkins_2_154.nasl -t <IP/HOST>Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):
/opt/nessus/bin/nasl -K /tmp/state jenkins_2_154.nasl -t <IP/HOST>Go back to menu.
References
TRA | Tenable Research Advisory: See also:
- https://www.tenable.com/plugins/nessus/119500
- https://jenkins.io/security/advisory/2018-12-05/
- https://www.tenable.com/security/research/tra-2018-43
- https://vulners.com/nessus/JENKINS_2_154.NASL
- 72685 - Jenkins < 1.551 / 1.532.2 and Jenkins Enterprise 1.509.x / 1.532.x < 1.509.5.1 / 1.532.2.2 Multiple Vulnerabilities
- 78859 - Jenkins < 1.583 / 1.565.3 and Jenkins Enterprise 1.532.x / 1.554.x / 1.565.x < 1.532.10.1 / 1.554.10.1 / 1.565.3.1 Multiple Vulnerabilities
- 89925 - Jenkins < 1.642.2 / 1.650 and Jenkins Enterprise < 1.609.16.1 / 1.625.16.1 / 1.642.2.1 Multiple Vulnerabilities
- 111603 - Jenkins < 2.121.2 / 2.133 Multiple Vulnerabilities
- 118147 - Jenkins < 2.138.2 (LTS) / 2.146 Multiple Vulnerabilities
- 127053 - Jenkins < 2.176.2 LTS / 2.186 Multiple Vulnerabilities
- 130099 - Jenkins < 2.176.4 LTS / 2.197 Multiple Vulnerabilities
- 139734 - Jenkins < 2.235.5 LTS / 2.243 Information Disclosure Vulnerability
- 139726 - Jenkins < 2.235.4 LTS / 2.252 Multiple Cross-Site Scripting (XSS) Vulnerabilities
- 148401 - Jenkins weekly < 2.280 Privilege Escalation
- 148975 - Jenkins LTS < 2.277.3 / Jenkins weekly < 2.286
- 151193 - Jenkins LTS < 2.289.2 / Jenkins weekly < 2.300 Multiple Vulnerabilities
- 154055 - Jenkins LTS < 2.303.2 / Jenkins weekly < 2.315 Multiple Vulnerabilities
- 156929 - Jenkins LTS < 2.319.2 / Jenkins weekly < 2.330 Multiple Vulnerabilities
- 157860 - Jenkins LTS < 2.319.3 / Jenkins weekly < 2.334 Multiple Vulnerabilities
- 99984 - Jenkins < 2.46.2 / 2.57 and Jenkins Enterprise < 1.625.24.1 / 1.651.24.1 / 2.7.24.0.1 / 2.46.2.1 Multiple Vulnerabilities
- 153924 - Jenkins Git Plugin < 4.8.3 / Jenkins LTS < 2.303.2 / Jenkins weekly < 2.315 Multiple Vulnerabilities (Deprecated)
- 97609 - Jenkins < 2.44 / 2.32.x < 2.32.2, Jenkins Operations Center < 1.625.22.1 / 2.7.22.0.1 / 2.32.2.1, and Jenkins Enterprise < 1.651.22.1 / 2.7.22.0.1 / 2.32.2.1 Multiple Vulnerabilities
- 129169 - Jenkins Security Advisory 2019-01-08 Multiple Vulnerabilities
- 155735 - Jenkins Plugins Multiple Vulnerabilities (Jenkins Security Advisory 2021-03-30)
- 156930 - Jenkins plugins Multiple Vulnerabilities (2022-01-12)
- 86898 - Jenkins < 1.638 / 1.625.2 Java Object Deserialization RCE
- 89725 - Jenkins < 1.642.2 / 1.650 Java Object Deserialization RCE
- 89034 - Jenkins < 1.642.2 / 1.650 Java Object Deserialization RCE
- 155587 - Jenkins Enterprise and Operations Center < 2.249.31.0.1 / 2.277.3.1 DoS (CloudBees Security Advisory 2021-04-20)
- 153977 - Jenkins Enterprise and Operations Center < 2.249.31.0.6 / 2.277.40.0.1 / 2.289.2.2 Multiple Vulnerabilities (CloudBees Security Advisory 2021-06-30)
- 153890 - Jenkins Enterprise and Operations Center < 2.249.32.0.2 / 2.277.41.0.2 / 2.303.1.6 Multiple Vulnerabilities (CloudBees Security Advisory 2021-08-31)
- 155661 - Jenkins Enterprise and Operations Center < 2.249.33.0.1 / 2.277.42.0.1 / 2.303.2.5 Multiple Vulnerabilities (CloudBees Security Advisory 2021-10-06)
- 158092 - Jenkins Enterprise and Operations Center < 2.277.43.0.3 / 2.319.1.5 Multiple Vulnerabilities (CloudBees Security Advisory 2021-12-01)
- 158059 - Jenkins Enterprise and Operations Center < 2.277.43.0.5 / 2.319.2.5 Multiple Vulnerabilities (CloudBees Security Advisory 2022-01-12)
- 158672 - Jenkins Enterprise and Operations Center 2.277.x < 2.277.43.0.6 / 2.303.x < 2.303.30.0.5 / 2.319.3.3 Multiple DoS (CloudBees Security Advisory 2022-02-09)
Version
This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file jenkins_2_154.nasl version 1.10. For more plugins, visit the Nessus Plugin Library.
Go back to menu.
