Addressing recently disclosed vulnerabilities in the Jenkins CLI

    The Jenkins security team has been made aware of a new attack vector for a remote code execution vulnerability in the Jenkins CLI, according to this advisory by Daniel Beck:

    We have received a report of a possible unauthenticated remote code execution vulnerability in Jenkins (all versions).

    We strongly advise anyone running a Jenkins instance on a public network disable the CLI for now.

    As this uses the same attack vector as SECURITY-218, you can reuse the script and instructions published in this repository: https://github.com/jenkinsci-cert/SECURITY-218

    We have since been able to confirm the vulnerability and strongly recommend that everyone follow the instructions in the linked repository.

    As Daniel mentions in the security advisory, the advised mitigation strategy is to disable the CLI subsystem via this Groovy script. If you are a Jenkins administrator, navigate to the 'Manage Jenkins' page and click on the 'Script Console', which will allow you to run the Groovy script to immediately disable the CLI.

    In order to persist this change across restarts of your Jenkins controller, place the Groovy script in $JENKINS_HOME/init.groovy.d/cli-shutdown.groovy so that Jenkins executes the script on each boot.

    We are expecting to have a fix implemented, tested and included in an updated weekly and LTS release this upcoming Wednesday, November 16th.

    For users who are operating Jenkins on public, or otherwise hostile, networks, we suggest hosting Jenkins behind reverse proxies such as Apache or Nginx. These can help provide an additional layer of security, when used appropriately, to cordon off certain URLs such as /cli.

    Additionally, we strongly recommend that all Jenkins administrators subscribe to the jenkinsci-advisories@googlegroups.com mailing list to receive future advisories.


    The Jenkins project has a responsible disclosure policy, which we strongly encourage anybody who believes they have discovered a potential vulnerability to follow. You can learn more about this policy and our processes on our security page.

    About the Author
    R. Tyler Croy
    R. Tyler Croy

    R. Tyler Croy has been part of the Jenkins project for the past seven years. While avoiding contributing any Java code, Tyler is involved in many of the other aspects of the project which keep it running, such as this website, infrastructure, governance, etc.