A series of critical vulnerabilities in Jenkins, one of the most widely used open-source automation servers, have been discovered, posing serious security risks. The vulnerabilities, identified in different components of Jenkins, could allow attackers to trigger denial-of-service (DoS) attacks, inject malicious scripts, and gain unauthorized access to sensitive system information. These flaws affect both Jenkins Long-Term Support (LTS) versions and weekly releases, making timely updates essential to prevent exploitation.
The first major issue, identified as CVE-2024-47855, impacts Jenkins’ use of the org.kohsuke.stapler:json-lib library, which processes JSON data. Attackers with minimal permissions can exploit this vulnerability to monopolize HTTP request handling threads, consuming system resources and potentially causing a denial of service. This flaw also affects several plugins, such as SonarQube Scanner and Bitbucket, which could allow attackers to exploit the vulnerability even without the necessary permissions. This issue has been addressed in Jenkins LTS versions 2.479.2 and 2.487, and users are advised to update immediately.
Another critical flaw is the stored cross-site scripting (XSS) vulnerability in the Simple Queue Plugin, tracked as CVE-2024-54003. This issue, found in versions 1.4.4 and earlier, allows attackers with View/Create permissions to inject malicious scripts into the application. The vulnerability arises because view names are not properly escaped, enabling attackers to execute arbitrary scripts when users interact with the affected views. This flaw has been patched in Simple Queue Plugin version 1.4.5, which now ensures proper escaping of view names to mitigate the XSS risk.
Lastly, CVE-2024-54004 addresses a path traversal vulnerability in the Filesystem List Parameter Plugin, found in versions 0.0.14 and earlier. This flaw allows attackers with Item/Configure permissions to enumerate file names on the Jenkins controller file system, potentially exposing sensitive data. The vulnerability has been fixed in version 0.0.15, which restricts paths to an allowlist, limiting access to files in designated locations. To protect against these vulnerabilities, Jenkins users are urged to update both the core system and any affected plugins to their latest versions. Ignoring these updates may leave systems exposed to attacks that could compromise their functionality and security.
Reference:
