On July 18, 2018, Jenkins released its latest security bulletin and announced multiple security vulnerabilities. SECURITY-914 is an arbitrary file read vulnerability reported by Orange.
Attackers can exploit this critical vulnerability to read arbitrary files on Windows servers and, under specific conditions, read files on Linux servers. Attackers can also obtain credential information in Jenkins systems and therefore expose sensitive user information. Some credentials may be user passwords, which enable the attackers to log on to the Jenkins systems and execute commands.
Arbitrary file read vulnerability in Jenkins
An arbitrary file read vulnerability in the Stapler web framework used by Jenkins allows unauthenticated users to send crafted HTTP requests. The requests return the contents of any file on the Jenkins master file system that is accessible by the Jenkins master process.
For more information about this vulnerability, visit Jenkins security advisory.
- Jenkins weekly 2.132 and earlier
- Jenkins LTS 2.121.1 and earlier
- Upgrade Jenkins weekly to 2.133.
- Upgrade Jenkins LTS to 2.121.2.
If you do not want to upgrade Jenkins to fix this vulnerability, we recommend that you use the custom protection policy feature provided by WAF to protect your business.
... /. This prevents attackers from exploiting this vulnerability to read arbitrary files by using directory traversal.