CVE-2024-2216
📋 TL;DR
This vulnerability in Jenkins docker-build-step Plugin allows attackers with Overall/Read permission to connect to arbitrary TCP or Unix socket URLs and reconfigure the plugin. Attackers can manipulate future build step executions, potentially leading to unauthorized access or code execution. All Jenkins instances using docker-build-step Plugin version 2.11 or earlier are affected.
💻 Affected Systems
- Jenkins docker-build-step Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could redirect docker connections to malicious servers, execute arbitrary code in build environments, steal credentials, or compromise the entire Jenkins infrastructure.
Likely Case
Attackers with read access can reconfigure docker endpoints to connect to attacker-controlled servers, potentially intercepting build artifacts, injecting malicious code into builds, or accessing sensitive build environment data.
If Mitigated
With proper access controls limiting Overall/Read permissions and network segmentation, impact is reduced to unauthorized configuration changes within the plugin's scope.
🎯 Exploit Status
Exploitation requires Overall/Read permission but is straightforward once access is obtained. The vulnerability is in a widely used Jenkins plugin.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.12 or later
Vendor Advisory: https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3200
Restart Required: Yes
Instructions:
1. Update Jenkins docker-build-step Plugin to version 2.12 or later via Jenkins Plugin Manager. 2. Restart Jenkins to apply the update. 3. Verify the plugin version in Manage Jenkins > Manage Plugins > Installed tab.
🔧 Temporary Workarounds
Restrict Overall/Read Permissions
allLimit Overall/Read permissions to trusted users only to prevent exploitation.
Disable or Remove Plugin
allTemporarily disable or uninstall the docker-build-step Plugin if not essential.
🧯 If You Can't Patch
- Implement strict network segmentation to limit outbound connections from Jenkins to trusted docker registries only.
- Audit and minimize users with Overall/Read permission, applying principle of least privilege.
🔍 How to Verify
Check if Vulnerable:
Check Jenkins Plugin Manager for docker-build-step Plugin version. If version is 2.11 or earlier, the system is vulnerable.Check Version:
Check via Jenkins web UI: Manage Jenkins > Manage Plugins > Installed tab, or via Jenkins CLI: 'java -jar jenkins-cli.jar -s http://jenkins-url/ list-plugins'Verify Fix Applied:
Verify docker-build-step Plugin version is 2.12 or later in Manage Jenkins > Manage Plugins > Installed tab.📡 Detection & Monitoring
Log Indicators:
- Unauthorized configuration changes to docker-build-step plugin
- Unexpected connections to non-standard docker endpoints
- Errors in build logs related to docker connection failures
Network Indicators:
- Outbound connections from Jenkins to unexpected IP addresses on docker ports (2375, 2376)
- DNS queries for suspicious docker registry domains
SIEM Query:
source="jenkins.log" AND ("docker-build-step" AND ("reconfigure" OR "connection test")) NOT user="trusted_user"