Cyber Security News

Critical Jenkins Vulnerability Let Attackers Trigger DoS & Inject Scripts

A series of vulnerabilities have been identified, posing significant risks to the system’s security.

These vulnerabilities could allow attackers to trigger denial of service (DoS) attacks and execute script injections, as highlighted in recent advisories.

Denial of Service Vulnerability in JSON Library – CVE-2024-47855

A major vulnerability, identified as CVE-2024-47855, affects the Jenkins system due to its use of the org.kohsuke.stapler:json-lib library to process JSON data.

This library, which is a Jenkins project fork of the original net.sf.json-lib:json-lib, has been found susceptible in Jenkins LTS versions 2.479.1 and earlier, and in version 2.486 and earlier.

Attackers with Overall/Read permission can exploit this vulnerability to monopolize HTTP request handling threads, leading to indefinite system resource usage that prevents legitimate use of Jenkins.

Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.

Even more concerning, several plugins, such as SonarQube Scanner and Bitbucket, permit attackers without Overall/Read permissions to exploit this flaw.

These plugins, or other features processing user-provided JSON, may also be vulnerable, potentially causing those features to be unavailable.

The security team has patched this vulnerability by backporting fixes from org.kordamp.json:json-lib-core to org.kohsuke.stapler:json-lib, culminating in version 2.4-jenkins-8. The fix is included in Jenkins LTS version 2.479.2 and version 2.487.

Stored XSS Vulnerability in Simple Queue Plugin – CVE-2024-54003

Another critical issue is the stored cross-site scripting (XSS) vulnerability in the Simple Queue Plugin, identified as CVE-2024-54003.

Versions 1.4.4 and earlier do not adequately escape view names, enabling attackers with View/Create permission to execute malicious scripts.

This vulnerability has been rectified in Simple Queue Plugin version 1.4.5, which ensures appropriate escaping of view names to mitigate XSS risks.

Path Traversal Vulnerability in Filesystem List Parameter Plugin – CVE-2024-54004

The Filesystem List Parameter Plugin, versions 0.0.14 and earlier, suffers from a path traversal vulnerability (CVE-2024-54004).

This flaw allows attackers with Item/Configure permission to enumerate file names on the Jenkins controller file system. The issue is addressed in version 0.0.15, which restricts paths to an allow list by default, confined to $JENKINS_HOME/userContent/.

Affected Versions and Fixes

  • Jenkins weekly: Up to and including 2.486
  • Jenkins LTS: Up to and including 2.479.1
  • Filesystem List Parameter Plugin: Up to and including 0.0.14
  • Simple Queue Plugin: Up to and including 1.4.4

As per a report by Jenkins, Users are strongly advised to update Jenkins weekly to version 2.487 and Jenkins LTS to version 2.479.2.

Additionally, affected plugins should be updated to their latest versions to ensure protection against these vulnerabilities. Failure to apply these updates leaves systems exposed to potential exploitation.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…

20 hours ago

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code execution…

20 hours ago

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…

21 hours ago

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…

21 hours ago

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…

24 hours ago

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…

1 day ago