Critical Jenkins Vulnerability Let Attackers Trigger DoS & Inject Scripts

A series of vulnerabilities have been identified, posing significant risks to the system’s security.

These vulnerabilities could allow attackers to trigger denial of service (DoS) attacks and execute script injections, as highlighted in recent advisories.

Denial of Service Vulnerability in JSON Library – CVE-2024-47855

A major vulnerability, identified as CVE-2024-47855, affects the Jenkins system due to its use of the org.kohsuke.stapler:json-lib library to process JSON data.

This library, which is a Jenkins project fork of the original net.sf.json-lib:json-lib, has been found susceptible in Jenkins LTS versions 2.479.1 and earlier, and in version 2.486 and earlier.

Attackers with Overall/Read permission can exploit this vulnerability to monopolize HTTP request handling threads, leading to indefinite system resource usage that prevents legitimate use of Jenkins.

Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.

Even more concerning, several plugins, such as SonarQube Scanner and Bitbucket, permit attackers without Overall/Read permissions to exploit this flaw.

These plugins, or other features processing user-provided JSON, may also be vulnerable, potentially causing those features to be unavailable.

The security team has patched this vulnerability by backporting fixes from org.kordamp.json:json-lib-core to org.kohsuke.stapler:json-lib, culminating in version 2.4-jenkins-8. The fix is included in Jenkins LTS version 2.479.2 and version 2.487.

Stored XSS Vulnerability in Simple Queue Plugin – CVE-2024-54003

Another critical issue is the stored cross-site scripting (XSS) vulnerability in the Simple Queue Plugin, identified as CVE-2024-54003.

Versions 1.4.4 and earlier do not adequately escape view names, enabling attackers with View/Create permission to execute malicious scripts.

This vulnerability has been rectified in Simple Queue Plugin version 1.4.5, which ensures appropriate escaping of view names to mitigate XSS risks.

Path Traversal Vulnerability in Filesystem List Parameter Plugin – CVE-2024-54004

The Filesystem List Parameter Plugin, versions 0.0.14 and earlier, suffers from a path traversal vulnerability (CVE-2024-54004).

This flaw allows attackers with Item/Configure permission to enumerate file names on the Jenkins controller file system. The issue is addressed in version 0.0.15, which restricts paths to an allow list by default, confined to $JENKINS_HOME/userContent/.

Affected Versions and Fixes

• Jenkins weekly: Up to and including 2.486
• Jenkins LTS: Up to and including 2.479.1
• Filesystem List Parameter Plugin: Up to and including 0.0.14
• Simple Queue Plugin: Up to and including 1.4.4

As per a report by Jenkins, Users are strongly advised to update Jenkins weekly to version 2.487 and Jenkins LTS to version 2.479.2.

Additionally, affected plugins should be updated to their latest versions to ensure protection against these vulnerabilities. Failure to apply these updates leaves systems exposed to potential exploitation.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar