On July 18, 2018, Jenkins released the latest security advisory and announced multiple vulnerabilities. SECURITY-914 is an arbitrary file read vulnerability reported by Orange.
Attackers can exploit this vulnerability to read any file on a Window server and under specific conditions, read files on a Linux server. Attackers can also obtain credential information in Jenkins systems and therefore expose sensitive user information. Some credentials may be user passwords, which enable the attackers to log on to Jenkins systems and execute commands.
Jenkins arbitrary file read
The Stapler Web framework used by Jenkins contains an arbitrary file read vulnerability. Unauthenticated attackers can send crafted HTTP requests to read the contents of any file on the Jenkins master file system that the Jenkins master process has access to.
For more information about this vulnerability, see Jenkins security advisory.
- Jenkins weekly 2.132 and earlier versions
- Jenkins LTS 2.121.1 and earlier versions
- Upgrade Jenkins weekly to version 2.133.
- Upgrade Jenkins LTS to 2.121.2.
If you do not want to upgrade Jenkins to resolve this vulnerability, we recommend that you use the HTTP ACL Policy feature provided by WAF to protect your business.
.. /. This prevents attackers from launching directory traversal attacks to read arbitrary files on your servers.