A sequence of vulnerabilities have been recognized, posing important dangers to the system’s safety.
These vulnerabilities may permit attackers to set off denial of service (DoS) assaults and execute script injections, as highlighted in current advisories.
Denial of Service Vulnerability in JSON Library – CVE-2024-47855
A significant vulnerability, recognized as CVE-2024-47855, impacts the Jenkins system attributable to its use of the org.kohsuke.stapler:json-lib library to course of JSON information.
This library, which is a Jenkins venture fork of the unique web.sf.json-lib:json-lib, has been discovered prone in Jenkins LTS variations 2.479.1 and earlier, and in model 2.486 and earlier.
Attackers with Total/Learn permission can exploit this vulnerability to monopolize HTTP request dealing with threads, resulting in indefinite system useful resource utilization that forestalls professional use of Jenkins.
Analyze cyber threats with ANYRUN's highly effective sandbox. Black Friday Offers : Stand up to three Free Licenses.
Much more regarding, a number of plugins, corresponding to SonarQube Scanner and Bitbucket, allow attackers with out Total/Learn permissions to take advantage of this flaw.
These plugins, or different options processing user-provided JSON, may additionally be weak, doubtlessly inflicting these options to be unavailable.
The safety crew has patched this vulnerability by backporting fixes from org.kordamp.json:json-lib-core to org.kohsuke.stapler:json-lib, culminating in model 2.4-jenkins-8. The repair is included in Jenkins LTS model 2.479.2 and model 2.487.
Saved XSS Vulnerability in Easy Queue Plugin – CVE-2024-54003
One other vital difficulty is the saved cross-site scripting (XSS) vulnerability within the Easy Queue Plugin, recognized as CVE-2024-54003.
Variations 1.4.4 and earlier don’t adequately escape view names, enabling attackers with View/Create permission to execute malicious scripts.
This vulnerability has been rectified in Easy Queue Plugin model 1.4.5, which ensures acceptable escaping of view names to mitigate XSS dangers.
Path Traversal Vulnerability in Filesystem Record Parameter Plugin – CVE-2024-54004
The Filesystem Record Parameter Plugin, variations 0.0.14 and earlier, suffers from a path traversal vulnerability (CVE-2024-54004).
This flaw permits attackers with Merchandise/Configure permission to enumerate file names on the Jenkins controller file system. The problem is addressed in model 0.0.15, which restricts paths to an permit listing by default, confined to $JENKINS_HOME/userContent/.
Affected Variations and Fixes
- Jenkins weekly: As much as and together with 2.486
- Jenkins LTS: As much as and together with 2.479.1
- Filesystem Record Parameter Plugin: As much as and together with 0.0.14
- Easy Queue Plugin: As much as and together with 1.4.4
As per a report by Jenkins, Customers are strongly suggested to replace Jenkins weekly to model 2.487 and Jenkins LTS to model 2.479.2.
Moreover, affected plugins ought to be up to date to their newest variations to make sure safety in opposition to these vulnerabilities. Failure to use these updates leaves methods uncovered to potential exploitation.
Leveraging 2024 MITRE ATT&CK Outcomes for SME & MSP Cybersecurity Leaders – Attend Free Webinar