Several security vulnerabilities have been found in the open source developer tool Jenkins. Developers are closing the vulnerabilities with updated software. IT managers must implement updates quickly.
Advertisement
In Jenkins developers list a security notice Three weak add-ons. The most serious vulnerability is in the Simple Queue plug-in. It does not escape the name of ideas. This results in a stored cross-site scripting vulnerability that can be abused by attackers with “view/create” privileges (CVE-2024-54003, CVSS). 8.0“risk”High“). The error has been fixed by plug-in version 1.4.5 and later.
More Jenkins vulnerabilities
The included json-lib library has a denial of service vulnerability. Jenkins versions bundled with LTS 2.479.1 and 2.486 and older org.kohsuke.stapler:json-lib Affected by leaks, developers discuss. This allows attackers with aggregate/read permissions to keep the thread handling HTTP requests busy, consuming system resources and preventing others from using Jenkins. Some plugins enable such attacks even without “overall/read” permission (CVE-2024-47855, CVSS 7.5, HighModified version of Jenkins LTS 2.479.2 and 2.487 and newer org.kohsuke.stapler:json-lib Involved.
Finally, there is a path traversal vulnerability in the file system list parameters plugin. This allows attackers with “items/config” privileges to list files from the Jenkins controller file system (CVE-2024-54004, CVSS) 4.3, mediumPlugin version 0.0.15 fixes the error.
About two weeks ago, Jenkins developers also closed seven security holes. Most of them were considered high risk. Since attacks on Jenkins servers were observed around August this year, administrators should not hesitate but apply available updates as soon as possible.
(DMK)
