Full Report
What usage patterns, plugin adoption, and configuration choices reveal about the Jenkins attack surface.
Analysis Summary
Based on the provided research from Wiz, here is the summary of the Jenkins attack surface and associated vulnerability trends.
# Vulnerability: Jenkins Core & Plugin Ecosystem Security Debt
## CVE Details
*While the article discusses a broad "class" of vulnerabilities, it specifically references the following critical trends:*
- **CVE ID:** Not limited to one; references the collection of **Critical Jenkins Core CVEs** (typically including RCE flaws like CVE-2024-23897 or CVE-2023-27898).
- **CVSS Score:** 9.0 - 10.0 (**Critical**)
- **CWE:** CWE-94 (Code Injection), CWE-77 (Command Injection), CWE-287 (Improper Authentication).
## Affected Systems
- **Products:** Jenkins Automation Server, Jenkins LTS, and various ecosystem plugins.
- **Versions:**
- 87% of environments run **End-of-Life (EOL)** Jenkins versions.
- 21% run plugins with unpatched Critical/High vulnerabilities.
- **Configurations:**
- Instances running on compute with administrative service accounts (21% of environments).
- Instances using deprecated plugins like `workflow-cps-global-lib` (31% adoption) or `extended-choice-parameter` (14% adoption).
## Vulnerability Description
The vulnerability profile of Jenkins is driven by its architectural role and significant "security debt." As a CI/CD orchestrator, Jenkins requires high-level OS execution privileges and stores vast amounts of secrets. Technical flaws usually manifest in two ways:
1. **Core Flaws:** Remote Code Execution (RCE) via path traversal or CLI arguments, allowing attackers to bypass sandboxes.
2. **Plugin Flaws:** The ecosystem's reliance on Groovy scripting and HTTP endpoints creates a sprawl of unauthenticated or semi-authenticated interfaces that can be abused to execute commands or leak credentials.
## Exploitation
- **Status:** PoC available for many core CVEs; high-risk plugins are frequently exploited in the wild.
- **Complexity:** Low (Many vulnerabilities utilize simple HTTP requests or CLI commands).
- **Attack Vector:** Network (2% of all vulnerable Jenkins instances are directly exposed to the internet).
## Impact
- **Confidentiality:** **High** (Theft of API tokens, cloud credentials, and source code).
- **Integrity:** **High** (Ability to modify build artifacts and inject malicious code into production pipelines).
- **Availability:** **High** (Full control over CI/CD infrastructure and connected cloud environments).
## Remediation
### Patches
- **Core Update:** Immediately upgrade to the latest **Jenkins LTS** version.
- **Plugin Audit:** Remove plugins that are "Up for Adoption" or "Deprecated."
- **Specific Fixes:** Update `extended-choice-parameter` and other vulnerable plugins identified in the Jenkins Security Advisory list.
### Workarounds
- **Least Privilege:** Reduce cloud-level permissions for Jenkins service accounts (moving away from Administrative roles).
- **Network Isolation:** Remove Jenkins instances from public-facing internet access; use VPNs or Zero Trust tunnels.
- **Plugin Management:** Implement a "Golden Image" for plugins to prevent developers from installing unmaintained legacy components.
## Detection
- **Indicators of Compromise:**
- Unusual Groovy script executions in Jenkins logs.
- Outbound connections from Jenkins nodes to unknown IP addresses (potential credential exfiltration).
- Modification of `.xml` configuration files by unexpected users.
- **Detection Methods:**
- Utilize vulnerability scanners to identify EOL Jenkins versions.
- Monitor for the presence of the `workflow-cps-global-lib` and `extended-choice-parameter` plugins.
## References
- **Vendor Advisory:** [https://www.jenkins.io/security/advisories/](https://www.jenkins.io/security/advisories/)
- **Original Research:** [https://www.wiz.io/blog/securing-jenkins-top-attack-flows-misconfigurations](https://www.wiz.io/blog/securing-jenkins-top-attack-flows-misconfigurations)
- **Vulnerability Database:** [https://www.wiz.io/vulnerability-database/](https://www.wiz.io/vulnerability-database/)