Sandboxed constructors are intended to be used to create objects when called from code that does not have permission to create objects. This makes it harder for attackers to use constructors in a way that would allow them to execute code as the Jenkins controller. This issue does not allow attackers to run arbitrary code in Jenkins. It only allows attackers to execute code in Jenkins when the controller is used in a pipeline that is configured to use the Jenkins Script Security Plugin. This means that it is only possible to use this issue if the Jenkins server has been configured to allow the creation of pipelines that use the Jenkins Script Security Plugin. An attacker can do this by setting up a malicious build server to that allows the creation of pipelines that use the Jenkins Script Security Plugin. When a new pipeline is created, the Jenkins controller will consult the build server to determine whether it is allowed to run the pipeline. If the build server allows the creation of pipelines that use the Jenkins Script Security Plugin, the Jenkins controller will start the pipeline and allow it to run in the context of the Jenkins controller. This will allow attackers to use a malicious script on the build server to create a malicious pipeline that will run in the context of the Jenkins controller. The attacker could then use this issue to run arbitrary code in Jenkins. This issue does not allow attackers to run arbitrary code outside of Jenkins

The Build Pipeline Security Plugin

The Jenkins Script Security Plugin is a security plugin for the Jenkins software. This plugin could be configured to allow or prevent users from running scripts outside of Jenkins. If this plugin is configured to disallow running scripts outside of Jenkins, attackers would only have the ability to execute code in Jenkins when the controller is used in a pipeline that uses the build pipeline security plugin.
A malicious attacker could then create a malicious build server that allows the creation of pipelines with the build pipeline security plugin to run in its context. When a new pipeline created by an attacker, they can use this issue to execute arbitrary files on their build server in addition to using it in their new malicious pipeline.

The current state of Jenkins and how this issue can be used to take over a Jenkins installation

The Jenkins Script Security plugin is used to prevent users from executing malicious scripts. This plugin is configured in Jenkins to allow the creation of pipelines that use it. If a malicious script is created on a build server, this issue can be used by an attacker to create a pipeline that will run in the context of the Jenkins controller and execute their own code.

Vulnerability Details

CVE-2022-43404 is a vulnerability that allows attackers to execute code in Jenkins when the Jenkins controller is used in a pipeline that is configured to use the Jenkins Script Security Plugin. This means that it is only possible to use this issue if the Jenkins server has been configured to allow the creation of pipelines that use the Jenkins Script Security Plugin. An attacker can do this by setting up a malicious build server to that allows the creation of pipelines that use the Jenkins Script Security Plugin. When a new pipeline is created, the Jenkins controller will consult the build server to determine whether it is allowed to run the pipeline. If the build server allows the creation of pipelines that use the Jenkins Script Security Plugin, then any vulnerabilities found on this build server will also be checked when a new pipeline is created.

Timeline

Published on: 10/19/2022 16:15:00 UTC
Last modified on: 10/21/2022 15:10:00 UTC

References