Multiple Vulnerabilities in Jenkins Server and Update Centre

Published on 10 Mar 2023

Jenkins has released security updates addressing multiple high-severity vulnerabilities (CVE-2023-27898 and CVE-2023-27899) in the Jenkins Server and Update Centre.

The high-severity vulnerabilities are:

• CVE-2023-27898: A stored cross-site scripting (XSS) vulnerability that could allow an attacker to provide plugins to the configured update sites and display an error message indicating its incompatibility with the current version of Jenkins in the plugin manager, potentially leading to arbitrary code execution.

• CVE-2023-27899: A vulnerability that could allow attackers to access the controller file system with read and write privileges before installing it in Jenkins, potentially leading to arbitrary code execution.

The products affected by the vulnerabilities include:

• For CVE-2023-27898:

o Jenkins 2.270 through 2.393 (both inclusive)

o Jenkins LTS 2.277.1 through 2.375.3 (both inclusive)

• For CVE-2023-27899:

o Jenkins 2.393 and earlier

o Jenkins LTS 2.375.3 and earlier

Users and administrators of the affected Jenkins products are advised to upgrade to the latest versions immediately.

More information is available here:

https://www.jenkins.io/security/advisory/2023-03-08/

https://thehackernews.com/2023/03/jenkins-security-alert-new-security.html

https://blog.aquasec.com/jenkins-server-vulnerabilities