CVE-2024-34144
📋 TL;DR
This vulnerability allows attackers with permission to define and run sandboxed scripts in Jenkins to bypass sandbox protections via crafted constructor bodies, enabling arbitrary code execution on the Jenkins controller. It affects Jenkins instances using Script Security Plugin 1335.vf07d9ce377a_e and earlier. Attackers need script creation permissions but can then achieve full system compromise.
💻 Affected Systems
- Jenkins Script Security Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of Jenkins controller with full administrative access, data exfiltration, lateral movement to connected systems, and persistent backdoor installation.
Likely Case
Attackers with existing script permissions gain full control over Jenkins, allowing them to steal credentials, modify pipelines, and access sensitive build artifacts.
If Mitigated
With strict permission controls limiting who can create scripts, impact is contained to authorized users who become malicious insiders.
🎯 Exploit Status
Exploit requires authenticated access with script creation permissions. Public technical details available in advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1335.vf07d9ce377a_e_ and later
Vendor Advisory: https://www.jenkins.io/security/advisory/2024-05-02/#SECURITY-3341
Restart Required: Yes
Instructions:
1. Update Jenkins Script Security Plugin to version 1335.vf07d9ce377a_e_ or later via Jenkins Plugin Manager. 2. Restart Jenkins service. 3. Verify plugin version in Installed Plugins list.
🔧 Temporary Workarounds
Restrict Script Permissions
allTemporarily remove or restrict permissions for users to define and run sandboxed scripts until patching is complete.
Use Jenkins Role-Based Strategy or Matrix Authorization to remove 'Run/Replay Pipelines' and 'Configure' permissions from non-admin users.
🧯 If You Can't Patch
- Implement strict access controls to limit script creation permissions to only essential administrators.
- Monitor Jenkins logs for unusual script execution patterns and review all existing pipeline scripts for malicious code.
🔍 How to Verify
Check if Vulnerable:
Check Jenkins Plugin Manager for Script Security Plugin version. If version is 1335.vf07d9ce377a_e or earlier, system is vulnerable.Check Version:
Navigate to Jenkins > Manage Jenkins > Plugin Manager > Installed tab, search for 'Script Security Plugin'.Verify Fix Applied:
Verify Script Security Plugin version is 1335.vf07d9ce377a_e_ or later in Jenkins Plugin Manager.📡 Detection & Monitoring
Log Indicators:
- Unusual script execution patterns in Jenkins logs
- Unexpected constructor body modifications in pipeline scripts
- Failed sandbox approval requests for constructor-related code
Network Indicators:
- Unusual outbound connections from Jenkins controller to external systems
SIEM Query:
source="jenkins.log" AND ("sandbox bypass" OR "constructor" OR "CVE-2024-34144")