Skip to main content

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
  1. Home
  2. Alerts & Advisories
  3. Alerts
  4. Active Exploitation of Multiple Vulnerabilities in Jenkins Products
Alerts

Active Exploitation of Multiple Vulnerabilities in Jenkins Products

30 January 2024

Jenkins has released security updates addressing multiple vulnerabilities, including a critical (CVE-2024-23897) vulnerability and a high-severity (CVE-2024-23898) vulnerability in their products. The vulnerabilities are reportedly being actively exploited.

The vulnerabilities are: 

  • CVE-2024-23897: An arbitrary file read vulnerability that allows an unauthenticated attacker with 'overall/read' permission to read data from arbitrary files on the Jenkins server.

  • CVE-2024-23898: A cross-site WebSocket hijacking (CSWSH) vulnerability that allows an attacker to execute arbitrary CLI commands by tricking a user into clicking a malicious link.

The products affected by the vulnerabilities include:

  • Jenkins 2.441 and earlier

  • Jenkins LTS 2.426.2 and earlier

Users and administrators of the affected Jenkins products are advised to upgrade to the latest versions immediately.

More information is available at:

https://www.jenkins.io/security/advisory/2024-01-24/

https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/

https://www.bleepingcomputer.com/news/security/exploits-released-for-critical-jenkins-rce-flaw-patch-now/

Back to top