A series of vulnerabilities have been identified, posing significant risks to the system’s security.
These vulnerabilities could allow attackers to trigger denial of service (DoS) attacks and execute script injections, as highlighted in recent advisories.
A major vulnerability, identified as CVE-2024-47855, affects the Jenkins system due to its use of the org.kohsuke.stapler:json-lib library to process JSON data.
This library, which is a Jenkins project fork of the original net.sf.json-lib:json-lib, has been found susceptible in Jenkins LTS versions 2.479.1 and earlier, and in version 2.486 and earlier.
Attackers with Overall/Read permission can exploit this vulnerability to monopolize HTTP request handling threads, leading to indefinite system resource usage that prevents legitimate use of Jenkins.
Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.
Even more concerning, several plugins, such as SonarQube Scanner and Bitbucket, permit attackers without Overall/Read permissions to exploit this flaw.
These plugins, or other features processing user-provided JSON, may also be vulnerable, potentially causing those features to be unavailable.
The security team has patched this vulnerability by backporting fixes from org.kordamp.json:json-lib-core to org.kohsuke.stapler:json-lib, culminating in version 2.4-jenkins-8. The fix is included in Jenkins LTS version 2.479.2 and version 2.487.
Another critical issue is the stored cross-site scripting (XSS) vulnerability in the Simple Queue Plugin, identified as CVE-2024-54003.
Versions 1.4.4 and earlier do not adequately escape view names, enabling attackers with View/Create permission to execute malicious scripts.
This vulnerability has been rectified in Simple Queue Plugin version 1.4.5, which ensures appropriate escaping of view names to mitigate XSS risks.
The Filesystem List Parameter Plugin, versions 0.0.14 and earlier, suffers from a path traversal vulnerability (CVE-2024-54004).
This flaw allows attackers with Item/Configure permission to enumerate file names on the Jenkins controller file system. The issue is addressed in version 0.0.15, which restricts paths to an allow list by default, confined to $JENKINS_HOME/userContent/.
Affected Versions and Fixes
As per a report by Jenkins, Users are strongly advised to update Jenkins weekly to version 2.487 and Jenkins LTS to version 2.479.2.
Additionally, affected plugins should be updated to their latest versions to ensure protection against these vulnerabilities. Failure to apply these updates leaves systems exposed to potential exploitation.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations, particularly…
As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search Service…
UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider, has…
Cybersecurity researcher has uncovered a massive malware campaign targeting MacOS users through approximately 2,800 compromised…
Cybersecurity researchers have uncovered a critical flaw in the content moderation systems of AI models…
Microsoft’s cybersecurity research team has issued a stark warning about the risks of using default…