Sicherheitslecks in Entwicklerwerkzeug Jenkins stopped

I am an open-source developer tool from Jenkins that can open more Security Lücken. The Entwickler schließen the Schwachstellen with active software. IT responsible updates will be carried out.

Anzeige

In der Sicherheitsmitteilung listen to Jenkins-Entwickler three exploitable add-ons. Go to the schwerstelle in the Simple Queue Plug-in. This version Namen von Views nicht mit Escape. If you use a Stored-Cross-Site-Scripting-Lücke, you can use “View/Create” -Rechten misbrauchen (CVE-2024-54003, CVSS) 8.0Risk “hoch“). The plugin version 1.4.5 is now new.

Weitere Jenkins-Schwachstellen

The restricted json-lib library contains a Denial-of-Service-Lücke. The one in Jenkins LTS 2.479.1 is 2.486 and other versions of versions org.kohsuke.stapler:json-lib If the Leck is hit, the Entwickler is lost. Angreifer met de Berechtigung “Overall/Read” kan die Threads zum Behandeln door HTTP-Anfragen dauerhaft beschäftigen, was Systemressourcen braucht und oder davon abhält, Jenkins zu utilities. There are some plugins available that support the “Overall/Read” assessment (CVE-2024-47855, CVSS) 7.5, hoch). Jenkins LTS 2.479.2 and 2.487 and a new version have a modified version org.kohsuke.stapler:json-lib dabei.

Enable the filesystem list parameter plugin in a Path-Traversal-Schwachstelle. Angreifer with “Item/Configure”-Privileges can be executed by Dateien vom Dateisystem des Jenkins-Controllers auflisten (CVE-2024-54004, CVSS 4.3, Mittel). The plugin version 0.0.15 corrects the Fehler.

Before you continue for two weeks, the Jenkins-Entwickler has released the security lock. I think the risk is high. Since August, there has been fear on the Jenkins server for several years, which has prevented some administrators from working, but next time the activities will be carried out.

(dmk)