After the script console exploits of Jenkins became well known, a lot of people started configuring Jenkins with anonymous read access set to disabled in the global security configuration settings:
With this setting, anonymous users could no longer see anything except the specific whitelisted items shown in the following screenshot (these were provided at the following URL: https://github.com/jenkinsci/jenkins/blob/41a13dffc612ca3b5c48ab3710500562a3b40bf7/core/src/main/java/jenkins/model/Jenkins.java#L5258):
We already know that Jenkins is based on Java and that, in Java, everything is a subclass of java.lang.Object. In this manner, all objects have getClass(), and the name of getClass() matches the naming convention rule. Therefore, one way to bypass this whitelist is to use the whitelisted objects as an entrance and jump to other objects.
Orange discovered that calling the objects (listed here) leads to ACL bypass and that the search method can be accessed successfully:
jenkins.model.Jenkins.getSecurityRealm()
.getUser([username])
.getDescriptorByName([descriptor_name])
The routing mechanism shown in the preceding objects is mapped in the following URL format:
http://jenkins/securityRealm/user/<username>/search/index/q=<search value>
From the URL provided, we can see that no action is allowed unless we are logged in:
Now, let's see what happens when we use the ACL bypass:
We successfully bypassed the ACL and performed a search.