Jenkins CLI WebSocket Endpoint Vulnerability
CVE-2024-23898

8.8HIGH

Key Information:

Vendor
Jenkins
Status
Jenkins
Vendor
CVE Published:
24 January 2024

Badges

πŸ‘Ύ Exploit ExistsπŸ“° News Worthy

Summary

Jenkins versions 2.217 to 2.441 and LTS versions 2.222.1 to 2.426.2 are vulnerable to a cross-site WebSocket hijacking (CSWSH) attack due to inadequate origin validation for requests made through the CLI WebSocket endpoint. This flaw enables attackers to potentially execute arbitrary CLI commands on the Jenkins controller, allowing for unauthorized access and control over the Jenkins environment. Users of affected versions are strongly advised to apply security updates to mitigate the risk associated with this vulnerability.

Affected Version(s)

Jenkins 0

Jenkins 0 < 2.217

Jenkins 2.442

News Articles

favicon imageGBHackers

Exploit Released for Critical Jenkins RCE Flaw

Jenkins has been discovered with a critical vulnerability that is associated with arbitrary code execution that threat actors can exploit for malicious purposes.

4 months ago

favicon imageThe Stack

Patch now: Critical Jenkins exploits released

POCs validated, over 45,000 instances still publicly exposed after critical Jenkins vulnerability disclosed.

11 months ago

References

https://www.jenkins.io/security/advisory/2024-01-24/#SECU...
vendor-advisory
https://www.sonarsource.com/blog/excessive-expansion-unco...
http://www.openwall.com/lists/oss-security/2024/01/24/6

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • πŸ‘Ύ

    Exploit known to exist

  • πŸ“°

    First article discovered by The Stack

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database2 News Article(s)
.