# jenkins exploits

## jenkins exploits

### [iamkashz/ctf-scripts/jenkins-preauth-rce-v2.150.1.sh](https://github.com/iamkashz/ctf-scripts/blob/main/jenkins-preauth-rce-v2.150.1.sh)

### [gquere/pwn\_jenkins](https://github.com/gquere/pwn_jenkins)

1. Deserialization RCE in old Jenkins (CVE-2015-8103, Jenkins 1.638 and older)
2. Authentication/ACL bypass (CVE-2018-1000861, Jenkins <2.150.1)
3. Metaprogramming RCE in Jenkins Plugins (CVE-2019-1003000, CVE-2019-1003001, CVE-2019-1003002)
4. CheckScript RCE in Jenkins (CVE-2019-1003029, CVE-2019-1003030)
5. Git plugin (<3.12.0) RCE in Jenkins (CVE-2019-10392)
6. Dumping builds to find cleartext secrets
7. Password spraying
8. Decrypt Jenkins secrets offline

## Additional Reading

* [emtunc.org/research-misconfigured-jenkins-servers/](https://emtunc.org/blog/01/2018/research-misconfigured-jenkins-servers/)