Critical Jenkins Vulnerabilities Expose Systems to DoS and Security Risks
A series of security flaws have been discovered in Jenkins, impacting both its core system and associated plugins. These vulnerabilities allow attackers to trigger denial of service (DoS) attacks, execute script injections, and potentially gain unauthorized access to system resources. Affected components include the JSON processing library, the Simple Queue Plugin, and the Filesystem List Parameter Plugin. Jenkins has released updated versions to address these risks, and users are strongly urged to upgrade to ensure the integrity and security of their automation environments.
Critical Jenkins Vulnerabilities Expose Systems to Denial of Service and Script Injection Risks
Recent security updates have revealed a series of vulnerabilities within Jenkins, affecting both its core system and various plugins. These flaws present significant risks, enabling attackers to trigger denial of service (DoS) attacks, inject malicious scripts, and potentially compromise system integrity.
Denial of Service Due to JSON Processing (CVE-2024-47855)
A major vulnerability, tracked as CVE-2024-47855, has been identified in Jenkins' JSON processing capabilities. This flaw is rooted in the use of the org.kohsuke.stapler:json-lib
library, which processes JSON data. The vulnerability affects Jenkins LTS versions 2.479.1 and earlier, as well as version 2.486 and earlier.
Attackers with Overall/Read permissions can exploit this issue to occupy HTTP request threads indefinitely, overwhelming system resources and making Jenkins unavailable for legitimate users. What's more, certain plugins—such as SonarQube Scanner and Bitbucket—widen the scope of this attack by allowing attackers without Overall/Read permissions to exploit the flaw.
To mitigate this risk, the Jenkins security team has patched the vulnerability by incorporating a fix from the updated org.kordamp.json:json-lib-core
library. The patched versions are Jenkins LTS 2.479.2 and 2.487.
Stored XSS Vulnerability in Simple Queue Plugin (CVE-2024-54003)
Another critical vulnerability, CVE-2024-54003, has been discovered in the Simple Queue Plugin, affecting versions up to 1.4.4. This issue allows attackers with "View/Create" permissions to inject malicious JavaScript into the Jenkins interface. Once executed, the script could potentially steal sensitive data or hijack user sessions.
This vulnerability has been addressed in Simple Queue Plugin version 1.4.5, where view names are now properly escaped, neutralizing the risk of stored cross-site scripting (XSS).
Path Traversal Risk in Filesystem List Parameter Plugin (CVE-2024-54004)
The Filesystem List Parameter Plugin, versions 0.0.14 and earlier, contains a path traversal vulnerability. This flaw allows attackers with "Item/Configure" permissions to enumerate file names on the Jenkins server, potentially revealing sensitive file locations or enabling further exploitation.
The issue has been fixed in version 0.0.15, where the plugin restricts file paths to an allowed list, ensuring that users can only access directories within $JENKINS_HOME/userContent/
by default. The allow list can be customized to include other directories if needed.
Affected Versions and Remediation
The following versions are impacted by these vulnerabilities:
- Jenkins weekly up to version 2.486
- Jenkins LTS up to version 2.479.1
- Filesystem List Parameter Plugin up to version 0.0.14
- Simple Queue Plugin up to version 1.4.4
Users should update to the following patched versions to protect their systems:
- Jenkins weekly: version 2.487
- Jenkins LTS: version 2.479.2
- Filesystem List Parameter Plugin: version 0.0.15
- Simple Queue Plugin: version 1.4.5
By updating to these latest versions, users will address the vulnerabilities mentioned above and safeguard their Jenkins environments against potential exploits. Jenkins strongly advises users to apply these fixes promptly, as prior versions are considered vulnerable.