Jenkins CLI WebSocket Endpoint Vulnerability
Key Information
- Vendor
- Jenkins
- Status
- Jenkins
- Vendor
- CVE Published:
- 24 January 2024
Badges
Summary
Jenkins 2.217 through 2.441 (both inclusive), LTS 2.222.1 through 2.426.2 (both inclusive) does not perform origin validation of requests made through the CLI WebSocket endpoint, resulting in a cross-site WebSocket hijacking (CSWSH) vulnerability, allowing attackers to execute CLI commands on the Jenkins controller.
Affected Version(s)
Jenkins <= 0
Jenkins >= 2.217
Jenkins >= 2.442
News Articles
Exploit Released for Critical Jenkins RCE Flaw
Jenkins has been discovered with a critical vulnerability that is associated with arbitrary code execution that threat actors can exploit for malicious purposes.
2 months ago
Patch now: Critical Jenkins exploits released
POCs validated, over 45,000 instances still publicly exposed after critical Jenkins vulnerability disclosed.
9 months ago
CVSS V3.1
Timeline
- 👾
Exploit exists.
First article discovered by The Stack
Vulnerability published.
Vulnerability Reserved.