CVE-2024-52554

Vulnerability

Overview

Jenkins Shared Library Version Override Plugin 17.v786074c9fce7 and earlier declares folder-scoped library overrides as trusted, meaning they are not executed within the Script Security sandbox [1][2]. This design flaw allows an attacker with Item/Configure permission on a folder to configure a folder-scoped library override that runs without sandbox protection [3].

Attack

Vector and Prerequisites

The vulnerability can be exploited by any user who has Item/Configure permission on a folder in Jenkins. No other special privileges are required [1]. The attacker simply creates or modifies a folder-scoped library override, and when a pipeline using that folder executes, the override runs as a trusted library, bypassing all sandbox restrictions [2][3].

Impact

Successful exploitation allows an attacker to execute arbitrary Groovy code on the Jenkins controller without sandbox restrictions. This can lead to full compromise of the Jenkins instance, including exfiltration of secrets, installation of malware, or further lateral movement within the network [1].

Mitigation

Jenkins has released version 18.v600c6675dcb6 of the Shared Library Version Override Plugin which addresses this issue by no longer automatically treating folder-scoped library overrides as trusted [1][2]. Users should update to this or a later version immediately. If upgrading is not possible, administrators should review folder-level permissions to ensure only trusted users have Item/Configure access.