Jenkins Users Beware: Multiple Security Vulnerabilities Discovered

### #JenkinsSecurity #AutomationRisks #PluginVulnerabilities

Summary: Jenkins has issued a security advisory addressing critical vulnerabilities in its core system and plugins, which could lead to denial of service, cross-site scripting, and data exposure if not patched. Users are urged to update to the latest versions to mitigate these risks.

Threat Actor: Malicious Actors | Malicious Actors
Victim: Jenkins Users | Jenkins Users

Key Point :

  • A denial of service vulnerability (CVE-2024-47855) allows attackers with Overall/Read permission to exhaust system resources, impacting legitimate users.
  • Stored XSS vulnerability (CVE-2024-54003) in the Simple Queue Plugin enables script injection by users with View/Create permission, risking data theft and session hijacking.
  • Path traversal vulnerability (CVE-2024-54004) in the Filesystem List Parameter Plugin permits attackers to enumerate file names on the Jenkins controller, potentially aiding further attacks.
  • Jenkins has released updates (versions 2.487 for weekly and 2.479.2 for LTS) to address these vulnerabilities, urging immediate upgrades for all users.

Jenkins, the widely-used open-source automation server, has issued a security advisory addressing multiple vulnerabilities impacting both its core system and associated plugins. These flaws, ranging from denial of service to cross-site scripting, pose significant risks to Jenkins users if left unpatched.

Denial of Service via JSON Processing (CVE-2024-47855)

A denial of service vulnerability (CVSS 7.5) has been identified in Jenkins’ JSON processing library. As the advisory states, “In Jenkins (without plugins) this allows attackers with Overall/Read permission to keep HTTP requests handling threads busy indefinitely, using system resources and preventing legitimate users from using Jenkins.” This means malicious actors could effectively shut down Jenkins instances, disrupting critical development pipelines and causing significant downtime.

Worryingly, the advisory also highlights that “the Jenkins security team has identified multiple plugins that allow attackers lacking Overall/Read permission to do the same. These plugins include SonarQube Scanner and Bitbucket.” This expands the attack surface and increases the risk for Jenkins users who have these plugins installed.

Stored XSS in Simple Queue Plugin (CVE-2024-54003)

A high-severity stored XSS vulnerability (CVSS 8.0) has been discovered in the Simple Queue Plugin. This vulnerability allows attackers with “View/Create” permission to inject malicious scripts that can be executed by other users, potentially leading to data theft, session hijacking, or further system compromise.

Path Traversal in Filesystem List Parameter Plugin (CVE-2024-54004)

The Filesystem List Parameter Plugin also contains a vulnerability (CVSS 4.3) that allows attackers with “Item/Configure” permission to “enumerate file names on the Jenkins controller file system.” While this vulnerability is rated medium severity, it could still provide attackers with valuable information for further attacks.

Mitigation and Remediation

Jenkins has released updated versions to address these vulnerabilities. Users are strongly urged to upgrade to the latest versions immediately:

  • Jenkins weekly: Update to version 2.487
  • Jenkins LTS: Update to version 2.479.2
  • Filesystem List Parameter Plugin: Update to version 0.0.15
  • Simple Queue Plugin: Update to version 1.4.5

The advisory emphasizes that “These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.”

Organizations relying on Jenkins for their automation needs should prioritize these updates to ensure the security and integrity of their CI/CD pipelines.

Related Posts:

Source: https://securityonline.info/jenkins-users-beware-multiple-security-vulnerabilities-discovered