Jenkins 2.150.2 Remote Command Execution Via Node JS
Posted by deepcore on February 13, 2019 – 3:00 pm
This Metasploit module can run commands on the system using Jenkins users who has JOB creation and BUILD privileges. The vulnerability is exploited by a small script prepared in NodeJS. The sh parameter allows us to run commands. Sample script: node { sh “whoami” } In addition, ANONYMOUS users also have the authority to JOB create and BUILD by default. Therefore, all users without console authority can run commands on the system as root privilege.
Post a reply
You must be logged in to post a comment.