Cyber Security News

Critical Jenkins Vulnerability Let Attackers Trigger DoS & Inject Scripts

A series of vulnerabilities have been identified, posing significant risks to the system’s security.

These vulnerabilities could allow attackers to trigger denial of service (DoS) attacks and execute script injections, as highlighted in recent advisories.

Denial of Service Vulnerability in JSON Library – CVE-2024-47855

A major vulnerability, identified as CVE-2024-47855, affects the Jenkins system due to its use of the org.kohsuke.stapler:json-lib library to process JSON data.

This library, which is a Jenkins project fork of the original net.sf.json-lib:json-lib, has been found susceptible in Jenkins LTS versions 2.479.1 and earlier, and in version 2.486 and earlier.

Attackers with Overall/Read permission can exploit this vulnerability to monopolize HTTP request handling threads, leading to indefinite system resource usage that prevents legitimate use of Jenkins.

Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.

Even more concerning, several plugins, such as SonarQube Scanner and Bitbucket, permit attackers without Overall/Read permissions to exploit this flaw.

These plugins, or other features processing user-provided JSON, may also be vulnerable, potentially causing those features to be unavailable.

The security team has patched this vulnerability by backporting fixes from org.kordamp.json:json-lib-core to org.kohsuke.stapler:json-lib, culminating in version 2.4-jenkins-8. The fix is included in Jenkins LTS version 2.479.2 and version 2.487.

Stored XSS Vulnerability in Simple Queue Plugin – CVE-2024-54003

Another critical issue is the stored cross-site scripting (XSS) vulnerability in the Simple Queue Plugin, identified as CVE-2024-54003.

Versions 1.4.4 and earlier do not adequately escape view names, enabling attackers with View/Create permission to execute malicious scripts.

This vulnerability has been rectified in Simple Queue Plugin version 1.4.5, which ensures appropriate escaping of view names to mitigate XSS risks.

Path Traversal Vulnerability in Filesystem List Parameter Plugin – CVE-2024-54004

The Filesystem List Parameter Plugin, versions 0.0.14 and earlier, suffers from a path traversal vulnerability (CVE-2024-54004).

This flaw allows attackers with Item/Configure permission to enumerate file names on the Jenkins controller file system. The issue is addressed in version 0.0.15, which restricts paths to an allow list by default, confined to $JENKINS_HOME/userContent/.

Affected Versions and Fixes

  • Jenkins weekly: Up to and including 2.486
  • Jenkins LTS: Up to and including 2.479.1
  • Filesystem List Parameter Plugin: Up to and including 0.0.14
  • Simple Queue Plugin: Up to and including 1.4.4

As per a report by Jenkins, Users are strongly advised to update Jenkins weekly to version 2.487 and Jenkins LTS to version 2.479.2.

Additionally, affected plugins should be updated to their latest versions to ensure protection against these vulnerabilities. Failure to apply these updates leaves systems exposed to potential exploitation.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Fake BSOD Attack Launched via Malicious Python Script

A peculiar malicious Python script has surfaced, employing an unusual and amusing anti-analysis trick to…

17 hours ago

SocGholish Malware Dropped from Hacked Web Pages using Weaponized ZIP Files

A recent wave of cyberattacks leveraging the SocGholish malware framework has been observed using compromised…

17 hours ago

Lazarus Group Targets Developers Worldwide with New Malware Tactic

North Korea's Lazarus Group, a state-sponsored cybercriminal organization, has launched a sophisticated global campaign targeting…

17 hours ago

North Korean IT Workers Penetrate Global Firms to Install System Backdoors

In a concerning escalation of cyber threats, North Korean IT operatives have infiltrated global companies,…

17 hours ago

REF7707 Hackers Target Windows & Linux Systems with FINALDRAFT Malware

Elastic Security Labs has uncovered a sophisticated cyber-espionage campaign, tracked as REF7707, targeting entities across…

17 hours ago

NVIDIA Container Toolkit Vulnerable to Code Execution Attacks

NVIDIA has issued a critical security update to address a high-severity vulnerability discovered in the…

19 hours ago