An arbitrary file leak (restricted read) in Jenkins that can be used to leak sensitive information in some scenarios. Ultimately the vulnerability comes from Jenkins’ use of args4j, a small but well known Java library for parsing command line arguments. One of the features of args4j is abusable, as it can take any arguments that are prefixed with @
and treat the argument as a path, and resolve the file contents in that path as the argument. By invoking the Jenkins CLI tool and getting file contents echoed in arguments for enable-job
, connect-node
, or help
, an error message complaining about too many arguments can echo out some of the file contents.
This can be reached via jenkins-cli
directly or by sending a POST request to the /cli
endpoint. Exploiting these vulns though would require an attacker to have access to the Jenkins CLI. They call out configurations that allow anonymous registration and anonymous read permission as particularly susceptible to this bug.
Server-Side Request Forgery (SSRF) in an undisclosed application for dynamically generating data visualization images and dashboards with external data. Users can provide dashboard templates in the form of a JSON blob, including an item
array of which items to render. Eventually the server will create the dashboard, edit it with the data, and save and export it to a PDF or PNG via a headless browser. The problem is, one of the input types that’s supported is a iframeobject
.
By specifying an item with this type and an attacker URL, an attacker can get an iframe rendered to get arbitrary javascript running in the headless browser. By abusing this SSRF to send requests to the json
endpoint of the petition API running on the localhost (localhost:9222/json
), the URLs of all active tabs can be dumped which includes session tokens.