CVE-2024-52550
📋 TL;DR
This vulnerability in Jenkins Pipeline: Groovy Plugin allows attackers with Item/Build permission to rebuild previous builds using unapproved Jenkinsfile scripts. This bypasses script approval security controls, potentially executing malicious code. Users of affected Jenkins instances with the vulnerable plugin are at risk.
💻 Affected Systems
- Jenkins Pipeline: Groovy Plugin
📦 What is this software?
Pipeline\ by Jenkins
Pipeline\ by Jenkins
⚠️ Risk & Real-World Impact
Worst Case
Attackers could execute arbitrary code on Jenkins controllers, potentially compromising the entire CI/CD pipeline, stealing credentials, or deploying malicious artifacts.
Likely Case
Privileged users could bypass script approval controls to run unauthorized pipeline scripts, leading to unauthorized actions within Jenkins jobs.
If Mitigated
With strict access controls and monitoring, impact is limited to authorized users misusing their permissions within expected boundaries.
🎯 Exploit Status
Exploitation requires authenticated access with Item/Build permissions. The vulnerability is straightforward to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3991.vd281dd77a_388 or later
Vendor Advisory: https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3362
Restart Required: Yes
Instructions:
1. Update Jenkins Pipeline: Groovy Plugin to version 3991.vd281dd77a_388 or later via Jenkins Plugin Manager. 2. Restart Jenkins to apply the update.
🔧 Temporary Workarounds
Restrict Item/Build Permissions
allLimit Item/Build permissions to trusted users only to reduce attack surface.
Disable Rebuild Functionality
allRemove rebuild permissions or disable rebuild functionality for pipeline jobs.
🧯 If You Can't Patch
- Restrict Item/Build permissions to minimal necessary users.
- Implement strict monitoring of rebuild actions and script approvals in audit logs.
🔍 How to Verify
Check if Vulnerable:
Check Jenkins plugin version: Go to Manage Jenkins > Manage Plugins > Installed tab, find 'Pipeline: Groovy Plugin' and verify version.Check Version:
No direct CLI command; check via Jenkins web UI at Manage Jenkins > Manage Plugins.Verify Fix Applied:
Confirm plugin version is 3991.vd281dd77a_388 or later in Jenkins Plugin Manager.📡 Detection & Monitoring
Log Indicators:
- Unusual rebuild actions of pipeline jobs, especially by users not typically performing rebuilds.
- Script approval logs showing approvals for previously unapproved scripts during rebuilds.
Network Indicators:
- HTTP POST requests to rebuild endpoints without corresponding script approval checks.
SIEM Query:
source="jenkins.log" AND ("rebuild" OR "script approval") AND status="success"