A little personal sharing ๐
- :))) Okay, so before diving into this blog post, I was actually mind-blown myself that I managed to find and contribute a bug to the Jenkins community. The feeling of satisfaction is indescribable :) finding my first RCE in the world's most popular CI/CD platform, good ol' badass Jenkins. Un-freaking-believable ๐.
- This blog post of mine will focus on analyzing the technical details of a Symlink attack in Jenkins Core.
- You guys can check out https://www.jenkins.io/security/advisory/2021-11-04/. Most of the bugs related to the
FilePath class are publicly disclosed by Jenkins in there.
- Also, I did some research on CVE-2021-21602: https://github.com/advisories/GHSA-vpjm-58cw-r8q5. This was the predecessor and essentially the catalyst that led to my bug :))). Alright, let's get into it!
- You can find my advisory here: https://www.jenkins.io/security/advisory/2026-03-18/. Honestly though, I have no damn idea why Jenkins gave it such a weird-ass titleโtaking a solid RCE bug and naming it something so trippy and bizarre ๐คจ.
Description
Affected Version
Set-up Jenkins
PoC
Analysis
References