CVE-2024-43044: Critical Jenkins Vulnerability Exposes Servers to RCE Attacks

Jenkins - CVE-2024-43044

Today, Jenkins, the popular open-source automation server, has issued an urgent advisory detailing two vulnerabilities, one with a critical severity rating. These vulnerabilities, identified as CVE-2024-43044 and CVE-2024-43045, expose Jenkins instances to arbitrary file read and unauthorized access risks, respectively.

CVE-2024-43044 (Severity: Critical): Arbitrary file read vulnerability through agent connections can lead to RCE

The most severe of the two vulnerabilities, identified as CVE-2024-43044, allows attackers to execute arbitrary code remotely on Jenkins controllers. This vulnerability stems from a flaw in the Remoting library, which is used for communication between Jenkins controllers and agents. By exploiting this flaw, attackers can read arbitrary files from the Jenkins controller’s file system, potentially gaining access to sensitive configuration data, credentials, or even source code. The potential impact of this vulnerability is considerable, as it could enable attackers to take complete control of a Jenkins instance and its associated build processes.

CVE-2024-43045 (Severity: Medium): Missing permission check allows accessing other users’ “My Views”

The second vulnerability, designated as CVE-2024-43045, allows unauthorized access to users’ “My Views,” which are personalized dashboards in Jenkins. This vulnerability could expose sensitive information and allow attackers to modify these views, potentially disrupting workflows or causing confusion. While not as severe as the critical RCE vulnerability, this issue still poses a significant risk to the privacy and integrity of Jenkins users’ data.

Affected Versions and Remediation

Jenkins versions up to and including 2.470 (weekly) and 2.452.3 (LTS) are affected by these vulnerabilities. Jenkins has released updated versions, 2.471 (weekly), 2.452.4, and 2.462.1 (LTS), that address these issues. All Jenkins users are strongly urged to update their installations immediately to mitigate the risk of exploitation.

Related Posts: