Jenkins ACL Bypass / Metaprogramming Remote Code Execution
Posted by deepcore on March 19, 2019 – 9:30 pm
This Metasploit module exploits a vulnerability in Jenkins dynamic routing to bypass the Overall/Read ACL and leverage Groovy metaprogramming to download and execute a malicious JAR file. The ACL bypass gadget is specific to Jenkins versions 2.137 and below and will not work on later versions of Jenkins. Tested against Jenkins 2.137 and Pipeline: Groovy Plugin 2.61.
Post a reply
You must be logged in to post a comment.