Jenkins Multiple Vulnerabilities

Release Date: 30 Jan 2024 4590 Views

RISK: Extremely High Risk

TYPE: Operating Systems - Mobile & Apps

Multiple vulnerabilities were identified in Jenkins. A remote attacker could exploit some of these vulnerabilities to trigger remote code execution, sensitive information disclosure, cross-site scripting and security restriction bypass on the targeted system.

Note:

For CVE-2024-23897, arbitrary file read vulnerability through the CLI can lead to RCE. The CVE-2024-23897 vulnerability is being exploited in the wild.

CVE-2024-23897 affects Jenkins weekly versions up to and including 2.441, Jenkins LTS versions up to and including 2.426.2.

Impact

Remote Code Execution
Information Disclosure
Security Restriction Bypass
Cross-Site Scripting

System / Technologies affected

Jenkins weekly up to and including 2.441
Jenkins LTS up to and including 2.426.2
Git server Plugin up to and including 99.va_0826a_b_cdfa_d
GitLab Branch Source Plugin up to and including 684.vea_fa_7c1e2fe3
Log Command Plugin up to and including 1.0.2
Matrix Project Plugin up to and including 822.v01b_8c85d16d2
Qualys Policy Compliance Scanning Connector Plugin up to and including 1.0.5
Red Hat Dependency Analytics Plugin up to and including 0.7.1

Solutions

Before installation of the software, please visit the vendor web-site for more details.

Apply fixes issued by the vendor:

Jenkins weekly should be updated to version 2.442
Jenkins LTS should be updated to version 2.426.3
Git server Plugin should be updated to version 99.101.v720e86326c09
GitLab Branch Source Plugin should be updated to version 688.v5fa_356ee8520
Matrix Project Plugin should be updated to version 822.824.v14451b_c0fd42
Qualys Policy Compliance Scanning Connector Plugin should be updated to version 1.0.6
Red Hat Dependency Analytics Plugin should be updated to version 0.9.0

Vulnerability Identifier

Source

Jenkins