Summary: The Jenkins project has issued a critical security advisory urging users to update their installations due to multiple vulnerabilities that could lead to data theft and unauthorized control of Jenkins servers. Key vulnerabilities include exposure of sensitive data through error messages and flaws in authentication processes that could allow attackers to gain administrator access.
Threat Actor: Unknown | unknown
Victim: Jenkins Users | Jenkins Users
Key Point :
- Multiple vulnerabilities discovered in Jenkins could allow attackers to steal sensitive data and gain control of servers.
- CVE-2024-47803 exposes multi-line secrets through error messages, risking credential theft.
- CVE-2024-47804 enables unauthorized item creation, potentially leading to further exploitation.
- CVE-2024-47805 allows users with “Extended Read” permissions to view encrypted credential values.
- Vulnerabilities in the OpenID Connect Authentication plugin (CVE-2024-47806 & CVE-2024-47807) could let attackers bypass authentication and gain admin access.
- Users are strongly advised to update to the latest versions to mitigate these risks.
The Jenkins project has issued a security advisory, urging users to update their installations immediately due to the discovery of multiple vulnerabilities. These flaws could allow attackers to steal sensitive data, bypass security restrictions, and even gain complete control of Jenkins servers.
The most severe vulnerabilities include:
- CVE-2024-47803: This vulnerability exposes multi-line secrets, such as API keys and passwords, through error messages. This information could be accessed via system logs, potentially giving attackers access to sensitive credentials.
- CVE-2024-47804: Attackers can exploit this flaw to bypass item creation restrictions, enabling them to create temporary items and, with further permissions, persist these items to gain unauthorized access.
- CVE-2024-47805: This vulnerability allows users with “Extended Read” permissions to view encrypted credential values, potentially exposing sensitive information like certificates and secret files.
- CVE-2024-47806 & CVE-2024-47807: These vulnerabilities in the OpenID Connect Authentication plugin fail to validate crucial claims in ID tokens. This oversight could allow attackers to bypass authentication, potentially gaining administrator access to the Jenkins server.
The Jenkins project has released updates to address these vulnerabilities. Users are strongly advised to update to the following versions:
- Jenkins weekly: 2.479
- Jenkins LTS: 2.462.3
- Credentials Plugin: 1381.v2c3a_12074da_b_
- OpenID Connect Authentication Plugin: 4.355.v3a_fb_fca_b_96d4
These vulnerabilities pose significant security risks, including unauthorized access, exposure of sensitive data, and potential takeover of Jenkins instances. Immediate action is required to secure your Jenkins environment against these threats.
For more detailed information, please refer to the official Jenkins security advisory and update your systems accordingly.