Listen to this Post
How the CVE Works:
The vulnerability exists because the Jenkins Azure CLI Plugin, versions 0.9 and earlier, does not implement any validation or restriction on the commands it is instructed to execute. When a user with the Item/Configure permission configures a build job, they can control the arguments passed to the Azure CLI. The plugin passes these user-supplied inputs directly to a shell command executor on the Jenkins controller. By crafting malicious input with shell metacharacters (e.g., semicolons, ampersands, or backticks), an attacker can break out of the intended Azure CLI command context and execute arbitrary operating system commands. This grants them full control over the Jenkins controller server with the privileges of the Jenkins process.
Platform: Jenkins
Version: 0.9 and earlier
Vulnerability: OS Command Injection
Severity: High
date: 2024-10-29
Prediction: 2024-11-19
What Undercode Say:
az '; cat /etc/passwd
az & whoami &
// Pipeline step exploiting the plugin
node {
azCLI(command: 'service list --query "[].id" & whoami &')
}
How Exploit:
Attacker with Item/Configure permission injects shell metacharacters into the plugin’s command configuration, breaking command context and executing arbitrary system commands on the controller.
Protection from this CVE:
No patch available. Restrict Item/Configure permissions. Monitor for plugin update.
Impact:
Arbitrary command execution on Jenkins controller, leading to full system compromise.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
