Jenkins Multiple Vulnerabilities
Multiple vulnerabilities were identified in Jenkins. A remote attacker could exploit some of these vulnerabilities to trigger remote code execution, sensitive information disclosure, cross-site scripting and security restriction bypass on the targeted system.
Note:
For CVE-2024-23897, arbitrary file read vulnerability through the CLI can lead to RCE. The CVE-2024-23897 vulnerability is being exploited in the wild.
CVE-2024-23897 affects Jenkins weekly versions up to and including 2.441, Jenkins LTS versions up to and including 2.426.2.
RISK: Extremely High Risk
TYPE: Operating Systems – Mobile & Apps
Impact
- Remote Code Execution
- Information Disclosure
- Security Restriction Bypass
- Cross-Site Scripting
System / Technologies affected
- Jenkins weekly up to and including 2.441
- Jenkins LTS up to and including 2.426.2
- Git server Plugin up to and including 99.va_0826a_b_cdfa_d
- GitLab Branch Source Plugin up to and including 684.vea_fa_7c1e2fe3
- Log Command Plugin up to and including 1.0.2
- Matrix Project Plugin up to and including 822.v01b_8c85d16d2
- Qualys Policy Compliance Scanning Connector Plugin up to and including 1.0.5
- Red Hat Dependency Analytics Plugin up to and including 0.7.1
Solutions
Before installation of the software, please visit the vendor web-site for more details.
Apply fixes issued by the vendor:
- Jenkins weekly should be updated to version 2.442
- Jenkins LTS should be updated to version 2.426.3
- Git server Plugin should be updated to version 99.101.v720e86326c09
- GitLab Branch Source Plugin should be updated to version 688.v5fa_356ee8520
- Matrix Project Plugin should be updated to version 822.824.v14451b_c0fd42
- Qualys Policy Compliance Scanning Connector Plugin should be updated to version 1.0.6
- Red Hat Dependency Analytics Plugin should be updated to version 0.9.0
Vulnerability Identifier
- CVE-2023-6147
- CVE-2023-6148
- CVE-2024-23897
- CVE-2024-23898
- CVE-2024-23899
- CVE-2024-23900
- CVE-2024-23901
- CVE-2024-23902
- CVE-2024-23903
- CVE-2024-23904
- CVE-2024-23905
Source
Related Link
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
