Active Exploitation of Multiple Vulnerabilities in Jenkins Products

Published on 30 Jan 2024 | Updated on 30 Jan 2024

Jenkins has released security updates addressing multiple vulnerabilities, including a critical (CVE-2024-23897) vulnerability and a high-severity (CVE-2024-23898) vulnerability in their products. The vulnerabilities are reportedly being actively exploited.

The vulnerabilities are: 

  • CVE-2024-23897: An arbitrary file read vulnerability that allows an unauthenticated attacker with 'overall/read' permission to read data from arbitrary files on the Jenkins server.
  • CVE-2024-23898: A cross-site WebSocket hijacking (CSWSH) vulnerability that allows an attacker to execute arbitrary CLI commands by tricking a user into clicking a malicious link.

The products affected by the vulnerabilities include:

  • Jenkins 2.441 and earlier
  • Jenkins LTS 2.426.2 and earlier

Users and administrators of the affected Jenkins products are advised to upgrade to the latest versions immediately.

More information is available at:

https://www.jenkins.io/security/advisory/2024-01-24/

https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/

https://www.bleepingcomputer.com/news/security/exploits-released-for-critical-jenkins-rce-flaw-patch-now/