Jenkins allows attackers to obtain sensitive information
Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.
Affected versions
1.533 → fixed in 1.5510 → fixed in 1.532.2
Details
The doIndex function in hudson/util/RemotingDiagnostics.java in CloudBees Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users with the ADMINISTER permission to obtain sensitive information via vectors related to heapDump.
The fix
[FIXED SECURITY-73] Require RUN_SCRIPTS for /heapDump.
core/src/main/java/hudson/util/RemotingDiagnostics.java+1 −1
@@ -202,7 +202,7 @@ public void doIndex(StaplerResponse rsp) throws IOException {@WebMethod(name="heapdump.hprof")public void doHeapDump(StaplerRequest req, StaplerResponse rsp) throws IOException, InterruptedException {-owner.checkPermission(Jenkins.ADMINISTER);+owner.checkPermission(Jenkins.RUN_SCRIPTS);rsp.setContentType("application/octet-stream");FilePath dump = obtain();
References
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2014-2068
- WEBhttps://github.com/jenkinsci/jenkins/commit/0530a6645aac10fec005614211660e98db44b5eb
- PACKAGEhttps://github.com/jenkinsci/jenkins
- WEBhttps://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14
- WEBhttp://www.openwall.com/lists/oss-security/2014/02/21/2