Jenkins Origin Validation Bypass Vulnerability in WebSocket CLI Endpoint Allowing DNS Rebinding Attacks

A vulnerability exists in Jenkins versions 2.442 through 2.554, as well as LTS versions 2.426.3 through 2.541.2. The issue arises because Jenkins performs origin validation for requests made through the Command Line Interface (CLI) WebSocket endpoint by using the Host or X-Forwarded-Host HTTP request headers. This method of validation is vulnerable to DNS rebinding attacks, which can bypass the origin checks. Exploitation of this vulnerability allows attackers to establish WebSocket connections to the CLI endpoint from untrusted origins and execute commands as the anonymous user.

Impact

Exploitation of this vulnerability can lead to unauthorized execution of CLI commands via the WebSocket endpoint, with the impact varying based on the permissions assigned to the anonymous user. In cases where the anonymous user has been granted additional permissions or where the 'Anyone can do anything' authorization strategy is in place, this could result in arbitrary code execution by leveraging Groovy scripting capabilities.

Remediation

Users are advised to update Jenkins to version 2.555 or LTS 2.541.3. If there are issues with the update, the previous behavior can be restored by setting the Java system property 'hudson.cli.CLIAction.ACCEPT_URL_FROM_REQUEST' to 'true'. For those unable to update, it is recommended to configure authentication for the Jenkins controller and restrict permissions for the anonymous user.