CVE-2024-52550

Vulnerability

Overview Pipeline: Groovy Plugin (workflow-cps) versions 3990.vd281dd77a_388 and earlier, except the fixed version 3975.3977.v478dd9e956c3, fail to verify whether the main (Jenkinsfile) script of a rebuilt build is currently approved by the Script Security Plugin. This oversight means that even if a script's approval has been revoked since the build was first run, the rebuild action does not re-check the script's approval status. [1][2]

Exploitation

Conditions An attacker with Item/Build permission (i.e., the ability to trigger rebuilds on existing jobs) can exploit this flaw. They need only identify a previous build whose Jenkinsfile script was once approved but has since had its approval revoked. The attacker does not need Script Security Plugin bypass rights or any other elevated privileges. The vulnerability specifically affects rebuilds, not initial builds; a script that was never approved cannot be used this way. [1]

Impact

By successfully rebuilding a build with a no-longer-approved script, the attacker can execute arbitrary Groovy code in the Jenkins controller context, effectively bypassing script approval controls. This can lead to unauthorized operations, access to sensitive data, or full compromise of the Jenkins controller, depending on the script's capabilities. Jenkins rates this vulnerability as High severity. [1][2]

Mitigation

Pipeline: Groovy Plugin version 3993.v3e20a_37282f8 refuses to rebuild a build whose main script is unapproved, closing this attack vector. Users should immediately upgrade to this version or later. If upgrade is not possible, consider restricting Item/Build permission to trusted users only and monitor rebuild activities. [1]