Full title: Jenkins 2.137 and Pipeline Groovy Plugin 2.61 - ACL Bypass and Metaprogramming RCE Exploit 
Category: remote exploits
Platform: java
This Metasploit module exploits a vulnerability in Jenkins dynamic routing to bypass the Overall/Read ACL and leverage Groovy metaprogramming to download and execute a malicious JAR file. The ACL bypass gadget is specific to Jenkins versions 2.137 and below and will not work on later versions of Jenkins. Tested against Jenkins 2.137 and Pipeline: Groovy Plugin 2.61.

# 0day.today @ http://0day.today/