Jenkins Users Beware: Multiple Security Vulnerabilities Discovered

Jenkins, the widely-used open-source automation server, has issued a security advisory addressing multiple vulnerabilities impacting both its core system and associated plugins. These flaws, ranging from denial of service to cross-site scripting, pose significant risks to Jenkins users if left unpatched.

Denial of Service via JSON Processing (CVE-2024-47855)

A denial of service vulnerability (CVSS 7.5) has been identified in Jenkins’ JSON processing library. As the advisory states, “In Jenkins (without plugins) this allows attackers with Overall/Read permission to keep HTTP requests handling threads busy indefinitely, using system resources and preventing legitimate users from using Jenkins.” This means malicious actors could effectively shut down Jenkins instances, disrupting critical development pipelines and causing significant downtime.

Worryingly, the advisory also highlights that “the Jenkins security team has identified multiple plugins that allow attackers lacking Overall/Read permission to do the same. These plugins include SonarQube Scanner and Bitbucket.” This expands the attack surface and increases the risk for Jenkins users who have these plugins installed.

Stored XSS in Simple Queue Plugin (CVE-2024-54003)

A high-severity stored XSS vulnerability (CVSS 8.0) has been discovered in the Simple Queue Plugin. This vulnerability allows attackers with “View/Create” permission to inject malicious scripts that can be executed by other users, potentially leading to data theft, session hijacking, or further system compromise.

Path Traversal in Filesystem List Parameter Plugin (CVE-2024-54004)

The Filesystem List Parameter Plugin also contains a vulnerability (CVSS 4.3) that allows attackers with “Item/Configure” permission to “enumerate file names on the Jenkins controller file system.” While this vulnerability is rated medium severity, it could still provide attackers with valuable information for further attacks.

Mitigation and Remediation

Jenkins has released updated versions to address these vulnerabilities. Users are strongly urged to upgrade to the latest versions immediately:

• Jenkins weekly: Update to version 2.487
• Jenkins LTS: Update to version 2.479.2
• Filesystem List Parameter Plugin: Update to version 0.0.15
• Simple Queue Plugin: Update to version 1.4.5

The advisory emphasizes that “These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.”

Organizations relying on Jenkins for their automation needs should prioritize these updates to ensure the security and integrity of their CI/CD pipelines.

Related Posts:

• Security Vulnerabilities Uncovered in Jenkins: Immediate Updates Recommended
• Misconfigured Jenkins Servers Targeted in Cryptojacking Attacks
• Hackers earn $3 million by exploiting Jenkins servers and inserting mining Monero scripts
• RansomEXX Group Exploits Jenkins Vulnerability (CVE-2024-23897) in Major Indian Banking Attack
• Jenkins Security Vulnerabilities: What You Need to Know