Intigriti - Hack Hub
  • Misconfig Mapper Docs
    • Introduction
    • Supported Services
    • CLI Tool
    • Contributing
  • Services
    • GraphQL
      • GraphQL Introspection Query Enabled
    • Symfony PHP
      • Symfony Profiler Enabled
    • Postman API Platform
      • Public Workspaces
    • Salesforce
      • Salesforce Lightning Aura Components Enabled
    • Trello
      • View Permissions on Trello Boards
    • Figma
      • View access misconfiguration
    • Freshworks Freshservice
      • Open User Registration
    • Slack
      • No Admin Approval for Invitations
    • Atlassian Bitbucket
      • Publicly Accessible Private Repositories
    • Atlassian Confluence
      • Anonymous access to Remote API
      • Disabled XSRF Protection
      • User Email Visibility
      • Misconfigured Spaces
    • Atlassian Jira
      • Open User Registration
      • Atlassian Jira Email Visibility
      • Atlassian Jira Service Desk Open Signups
    • AWS S3
      • Misconfigured List Permissions
    • Cloudflare R2
      • R2.DEV Enabled
    • Google Groups
      • Misconfigured read permissions
    • Google Docs
      • Misconfigured read permissions
    • Google Cloud Storage Bucket
      • Misconfigured access controls
    • Google OAuth
      • Unrestricted email domains
    • Jenkins
      • Open Signups
      • Public Groovy Script Console
    • GitLab
      • Gitlab Private Source Code Snippets Exposed
    • Drupal
      • Drupal Nodes with Misconfigured Access Controls
    • Laravel
      • Debug Mode Enabled
      • Laravel Telescope Enabled In Production
Powered by GitBook
On this page

Was this helpful?

Edit on GitHub
  1. Services
  2. Jenkins

Public Groovy Script Console

PreviousOpen SignupsNextGitLab

Last updated 1 year ago

Was this helpful?

Description:

Groovy Script Console provides developers a way to run Groovy Script code right from their browser. However, in case permissions aren't configured properly, it could introduce another attack vector and often lead to remote code execution.

Testing:

Navigate to the following app route and check if Groovy Script Console is publicly accessible:

/script

You can also send a POST HTTP request to the /script or /scriptText app routes with your script contents in the script body parameter (make sure to change the positional variables with your own values):

curl -s 'https://jenkins.{HOST}/script' -X 'POST' --data 'script={SCRIPT}'

or:

curl -s 'https://jenkins.{HOST}/scriptText' -X 'POST' --data 'script={SCRIPT}'

Remediation:

Make sure to enforce proper account access restrictions and prevent non-administrator or non-privileged accounts from accessing the script console.

To cross-check this, check the individual user and group permissions:

Potential Impact:

Jenkin's Groovy Script Console is capable of several high-level execution tasks and thereby can allow malicious users to directly access the Jenkins runtime and practically do anything.

References:

Additionally, learn more about the capabilities of the and how to set .

Script Console
proper permissions based on each user or group role
https://www.jenkins.io/doc/book/managing/script-console/
https://www.jenkins.io/doc/book/security/access-control/permissions/
https://rohit-soni.medium.com/chaining-multiple-vulnerabilities-leads-to-remote-code-execution-rce-on-paytm-e77f2fd2295e
Anonymous Users shouldn't have Administrator access