Edit Content
Report Incident
English
Sinhala
Tamil

ADVISORY!

TLP : CLEAR

Date : 30/01/2024

REF NO : CERT / 2024/01/09

Jenkins Multiple Vulnerabilities

Severity Level: High

Components Affected

  • Jenkins weekly up to and including 2.441
  • Jenkins LTS up to and including 2.426.2
  • Git server Plugin up to and including 99.va_0826a_b_cdfa_d
  • GitLab Branch Source Plugin up to and including 684.vea_fa_7c1e2fe3
  • Log Command Plugin up to and including 1.0.2
  • Matrix Project Plugin up to and including 822.v01b_8c85d16d2
  • Qualys Policy Compliance Scanning Connector Plugin up to and including 1.0.5
  • Red Hat Dependency Analytics Plugin up to and including 0.7.1

Overview

Multiple vulnerabilities were identified in Jenkins. A remote attacker could exploit some of these vulnerabilities to trigger remote code execution, sensitive information disclosure, cross-site scripting and security restriction bypass on the targeted system.

Description

Jenkins uses the args4j library to parse command arguments and options on the Jenkins controller when processing CLI commands. This command parser has a feature that replaces an @ character followed by a file path in an argument with the file’s contents (expandAtFiles). This feature is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable it.

This allows attackers to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process.

  • Attackers with Overall/Read permission can read entire files.

  • Attackers without Overall/Read permission can read the first few lines of files. The number of lines that can be read depends on available CLI commands. As of publication of this advisory, the Jenkins security team has found ways to read the first three lines of files in recent releases of Jenkins without having any plugins installed, and has not identified any plugins that would increase this line count.

Impact

  • Remote Code Execution
  • Information Disclosure
  • Security Restriction Bypass
  • Cross-Site Scripting

Solution/ Workarounds

Before installation of the software, please visit the vendor web-site for more details.

Apply fixes issued by the vendor:

  • Jenkins weekly should be updated to version 2.442
  • Jenkins LTS should be updated to version 2.426.3
  • Git server Plugin should be updated to version 99.101.v720e86326c09
  • GitLab Branch Source Plugin should be updated to version 688.v5fa_356ee8520
  • Matrix Project Plugin should be updated to version 822.824.v14451b_c0fd42
  • Qualys Policy Compliance Scanning Connector Plugin should be updated to version 1.0.6
  • Red Hat Dependency Analytics Plugin should be updated to version 0.9.0

Reference

https://www.jenkins.io/security/advisory/2024-01-24/

Disclaimer : The information provided herein is on an “as is” basis, without warranty of any kind.

Sri Lanka Computer Emergency Readiness Team | Coordination Centre

Linkedin-in Facebook-f Twitter Youtube

Quick Links

Useful Links

Contact

  • Hotline : 101
  • +94 11 269 1692
  • Room 4-112, BMICH, Bauddhaloka Mawatha, Colombo 07, Sri Lanka.
  • General inquiry: cert@cert.gov.lk
  • Security incidents: incidents@cert.gov.lk
  • Social media incidents: report@cert.gov.lk

Copyright © 2023 SRI LANKA CERT | CC