Cloud security firm Aqua has discovered two critical security flaws in the Jenkins open source automation server, collectively known as CorePlague.
The vulnerabilities, CVE-2023-27898 and CVE-2023-27905, can lead to code execution on targeted systems, enabling unauthenticated attackers to run arbitrary code on the victim’s Jenkins server. All versions of Jenkins prior to 2.319.2 are vulnerable.
The Jenkins server and Update Center are both affected, with the flaws stemming from how Jenkins processes plugins available from the Update Center.
This means that a threat actor could upload a plugin with a malicious payload and trigger a cross-site scripting (XSS) attack. The vulnerability can be activated without having to install the plugin or even visit the URL to the plugin.
The risk is particularly severe because the flaws could affect self-hosted Jenkins servers, and even when the server is not publicly accessible over the internet.
The public Jenkins Update Center can be “injected by attackers.” The attack requires the rogue plugin to be compatible with the Jenkins server and surfaced on top of the main feed on the “Available Plugin Manager” page.
Aqua recommends that Jenkins users immediately upgrade to version 2.319.2 or later, and also perform a deep scan of the Jenkins server for any signs of exploitation.
This attack underscores the importance of regular security updates and a strong cybersecurity posture for open source software systems like Jenkins.