Jenkins has released security updates addressing multiple vulnerabilities, including a critical (CVE-2024-23897) vulnerability and a high-severity (CVE-2024-23898) vulnerability in their products. The vulnerabilities are reportedly being actively exploited.
The vulnerabilities are:
- CVE-2024-23897: An arbitrary file read vulnerability that allows an unauthenticated attacker with 'overall/read' permission to read data from arbitrary files on the Jenkins server.
- CVE-2024-23898: A cross-site WebSocket hijacking (CSWSH) vulnerability that allows an attacker to execute arbitrary CLI commands by tricking a user into clicking a malicious link.
The products affected by the vulnerabilities include:
- Jenkins 2.441 and earlier
- Jenkins LTS 2.426.2 and earlier
Users and administrators of the affected Jenkins products are advised to upgrade to the latest versions immediately.
More information is available at:
https://www.jenkins.io/security/advisory/2024-01-24/
https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/
https://www.bleepingcomputer.com/news/security/exploits-released-for-critical-jenkins-rce-flaw-patch-now/