A recent discovery of vulnerabilities in the Jenkins system has raised concerns about potential security risks that could be exploited by attackers. These vulnerabilities, if not addressed promptly, could lead to serious consequences for the system’s overall security.
One of the major vulnerabilities identified is the Denial of Service (DoS) vulnerability in the JSON Library, known as CVE-2024-47855. This vulnerability affects the Jenkins system due to its use of the org.kohsuke.stapler:json-lib library to process JSON data. It has been found that this library is susceptible in Jenkins LTS versions 2.479.1 and earlier, as well as version 2.486 and earlier.
Attackers with Overall/Read permission can exploit this vulnerability to monopolize HTTP request handling threads, resulting in indefinite system resource usage that can disrupt the legitimate use of Jenkins. Even more worrying is the fact that several plugins, such as SonarQube Scanner and Bitbucket, could also be exploited by attackers without Overall/Read permissions, potentially causing those features to become unavailable.
To address this vulnerability, the security team has patched the issue by backporting fixes from org.kordamp.json:json-lib-core to org.kohsuke.stapler:json-lib, leading to the release of version 2.4-jenkins-8. The fix has been included in Jenkins LTS version 2.479.2 and version 2.487 to ensure the system’s security.
Another critical vulnerability identified is the Stored XSS vulnerability in the Simple Queue Plugin, known as CVE-2024-54003. This vulnerability allows attackers with View/Create permission to execute malicious scripts due to inadequate escaping of view names in versions 1.4.4 and earlier. The issue has been addressed in version 1.4.5 of the plugin, which ensures appropriate escaping of view names to mitigate XSS risks.
Furthermore, the Filesystem List Parameter Plugin suffers from a Path Traversal vulnerability in versions 0.0.14 and earlier, identified as CVE-2024-54004. This vulnerability allows attackers with Item/Configure permission to enumerate file names on the Jenkins controller file system. The issue has been resolved in version 0.0.15, which restricts paths to an allow list by default, limited to $JENKINS_HOME/userContent/.
Users are strongly advised to update Jenkins weekly to version 2.487 and Jenkins LTS to version 2.479.2 to mitigate these vulnerabilities. Additionally, affected plugins should be updated to their latest versions to ensure protection against potential exploitation. Failure to apply these updates could leave systems vulnerable to attacks and compromise their security.
In conclusion, it is crucial for organizations using Jenkins to stay vigilant and proactive in addressing these vulnerabilities to safeguard their systems and data from potential threats. By staying informed and implementing necessary security measures, organizations can protect themselves against cyber threats and ensure the integrity of their systems.