CVE-2023-46654
📋 TL;DR
The Jenkins CloudBees CD Plugin vulnerability allows attackers with job configuration permissions to delete arbitrary files on the Jenkins controller file system by exploiting symbolic link traversal during artifact cleanup. This affects Jenkins instances using CloudBees CD Plugin version 1.1.32 and earlier. Attackers can cause denial of service or potentially escalate privileges by deleting critical system files.
💻 Affected Systems
- Jenkins CloudBees CD Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through deletion of critical OS files, Jenkins configuration files, or security credentials, leading to system instability, data loss, or privilege escalation.
Likely Case
Targeted deletion of Jenkins configuration files, build artifacts, or application data causing service disruption, failed builds, or data corruption.
If Mitigated
Limited impact to non-critical files if proper file permissions and job configuration controls are enforced, with minimal operational disruption.
🎯 Exploit Status
Exploitation requires authenticated access with job configuration permissions. The vulnerability is straightforward to exploit once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: CloudBees CD Plugin 1.1.33 or later
Vendor Advisory: https://www.jenkins.io/security/advisory/2023-10-25/#SECURITY-3237
Restart Required: Yes
Instructions:
1. Update Jenkins CloudBees CD Plugin to version 1.1.33 or later via Jenkins Plugin Manager. 2. Restart Jenkins instance. 3. Verify plugin version in installed plugins list.
🔧 Temporary Workarounds
Disable CloudBees CD - Publish Artifact post-build step
allRemove or disable the vulnerable post-build step from all Jenkins jobs to prevent exploitation.
Navigate to each job configuration and remove 'CloudBees CD - Publish Artifact' post-build step
Restrict job configuration permissions
allLimit 'Job/Configure' permissions to trusted administrators only to reduce attack surface.
Configure Jenkins security matrix to restrict 'Job/Configure' permissions
🧯 If You Can't Patch
- Implement strict access controls to limit job configuration permissions to essential administrators only.
- Monitor file deletion activities on Jenkins controller and implement file integrity monitoring for critical system files.
🔍 How to Verify
Check if Vulnerable:
Check Jenkins plugin manager for CloudBees CD Plugin version. If version is 1.1.32 or earlier, the system is vulnerable.Check Version:
Navigate to Jenkins > Manage Jenkins > Plugin Manager > Installed plugins, find CloudBees CD PluginVerify Fix Applied:
Verify CloudBees CD Plugin version is 1.1.33 or later in Jenkins plugin manager after update.📡 Detection & Monitoring
Log Indicators:
- Unusual file deletion patterns in system logs
- Jenkins audit logs showing unauthorized job configuration changes
- Failed build logs referencing missing artifact files
Network Indicators:
- Unusual authentication patterns to Jenkins web interface
- Multiple job configuration requests from single user in short timeframe
SIEM Query:
source="jenkins.log" AND ("file deletion" OR "symbolic link" OR "CloudBees CD" AND "error")