ADVISORY!
TLP : CLEAR
Date : 08/08/2024
REF NO : CERT / 2024/08/71
Jenkins Multiple Vulnerabilities
Severity Level: Medium
Components Affected
- Jenkins weekly up to and including 2.470
- Jenkins LTS up to and including 2.452.3
Overview
Multiple vulnerabilities were identified in Jenkins. A remote attacker could exploit some of these vulnerabilities to trigger elevation of privilege and remote code execution on the targeted system.
Description
Jenkins versions 2.470 and earlier, as well as LTS versions 2.452.3 and earlier, are affected by two critical vulnerabilities. The first vulnerability allows agent processes to read arbitrary files from the Jenkins controller file system by exploiting the `ClassLoaderProxy#fetchJar` method in the Remoting library. The second vulnerability involves an HTTP endpoint that fails to perform proper permission checks, enabling attackers with Overall/Read permission to access other users’ “My Views.” These issues could potentially lead to unauthorized data access and security breaches.
Impact
- Remote Code Execution
- Elevation of Privilege
Solution/ Workarounds
Before installation of the software, please visit the vendor web-site for more details.
Apply fixes issued by the vendor:
Reference
Disclaimer : The information provided herein is on an “as is” basis, without warranty of any kind.
Sri Lanka Computer Emergency Readiness Team | Coordination Centre
- Hotline : 101
- +94 11 269 1692
- Room 4-112, BMICH, Bauddhaloka Mawatha, Colombo 07, Sri Lanka.
- General inquiry: cert@cert.gov.lk
- Security incidents: incidents@cert.gov.lk
- Social media incidents: report@cert.gov.lk
