Developer tool Jenkins plugs several security leaks

Several security vulnerabilities have been discovered in the open source developer tool Jenkins. The developers are closing the vulnerabilities with updated software. IT managers should apply the updates quickly.

In the security announcement, the Jenkins developers list three vulnerable add-ons. The most serious is the vulnerability in the Simple Queue plug-in. It does not escape view names. This leads to a stored cross-site scripting vulnerability that attackers with "view/create" rights can abuse (CVE-2024-54003, CVSS 8.0, risk"high"). The bug is corrected in plug-in version 1.4.5 and later.

Further Jenkins vulnerabilities

The supplied json-lib library has a denial of service vulnerability. The versions of org.kohsuke.stapler:json-lib bundled in Jenkins LTS 2.479.1 and 2.486 and older are affected by the leak, the developers explain. Attackers with the "Overall/Read" privilege can thereby keep the threads handling HTTP requests permanently busy, which consumes system resources and prevents others from using Jenkins. Some plug-ins even allow such attacks without "Overall/Read" authorization (CVE-2024-47855, CVSS 7.5, high). Jenkins LTS 2.479.2 and 2.487 and newer have a corrected version of org.kohsuke.stapler:json-lib included.

Finally, there is a path traversal vulnerability in the filesystem list parameter plugin. Attackers with "Item/Configure" rights can use it to list files from the file system of the Jenkins controller (CVE-2024-54004, CVSS 4.3, medium). The plug-in version 0.0.15 corrects the error.

Around two weeks ago, the Jenkins developers even closed seven security vulnerabilities. Most of these were considered high-risk. Since attacks on Jenkins servers were observed in August of this year, admins should not hesitate, but apply the available updates promptly.

(dmk)