Security Advisory

JenKins Family January 2024 Security Update Advisory

  • Jan 26 2024

Overview

An update has been made available to fix vulnerabilities in JenKins(https://www.jenkins.io/). Users of affected versions are advised to update to the latest version.

 

Affected Products

  • All versions of Jenkins 2.441 and earlier, LTS 2.426.2 and earlier

 

CVE-2024-23898

  • Jenkins 2.217 and all versions before 2.441, LTS 2.222.1 and all versions before 2.426.2

 

CVE-2024-23899

  • All versions of Jenkins’ Git Server plugin 99.va_0826a_b_cdfa_d or earlier

 

CVE-2023-6147, CVE-2023-6148, CVE pending

  • Qualys Policy Compliance Scanning Connector plugin in Jenkins, all versions 1.0.5 and earlier

 

CVE-2024-23904

  • All versions of the Log Command plugin in Jenkins 1.0.2 and earlier

 

CVE-2024-23905

  • All versions of the Red Hat Dependency Analytics plugin in Jenkins 0.7.1 and earlier

 

CVE-2024-23900

  • All versions of the Matrix Project plugin in Jenkins before 822.v01b_8c85d16d2

 

CVE-2024-23901, CVE-2024-23902, CVE-2024-23903

  • All versions of the GitLab Branch Source plugin in Jenkins before 684.vea_fa_7c1e2fe3

 

Resolved Vulnerabilities

  • CVE-2024-23897: Arbitrary file read vulnerability via CLI in JenKins
  • CVE-2024-23898: Cross-site WebSocket hijacking vulnerability in the CLI in JenKins
  • CVE-2024-23899: Arbitrary file read vulnerability in the Git Server plugin in Jenkins
  • CVE-2023-6147: XXE vulnerability in the Qualys Policy Compliance Scanning Connector plugin in Jenkins
  • CVE-2023-6148: XSS vulnerability in the Qualys Policy Compliance Scanning Connector plugin in Jenkins
  • CVE pending: Credential capture allowance vulnerability due to incorrect permission checking in the Qualys Policy Compliance Scanning Connector plugin in Jenkins
  • CVE-2024-23904: Arbitrary file read vulnerability in the Log Command plugin in Jenkins
  • CVE-2024-23905: Disable Content-Security-Policy protection for user content vulnerability in the Red Hat Dependency Analytics plugin in Jenkins
  • CVE-2024-23900: Path traversal vulnerability in the Matrix Project plugin in Jenkins
  • CVE-2024-23901: Allow unconditional search of shared projects vulnerability in theGitLab Branch Source plugin in Jenkins
  • CVE-2024-23902: CSRF vulnerability in the GitLab Branch Source plugin in Jenkins
  • CVE-2024-23903: Webhook token comparison vulnerability due to runtime prediction in the GitLab Branch Source plugin in Jenkins

 

Vulnerability Patches

Patches for the vulnerabilities were made available in the January 24 and 25, 2024 updates. For more information about the vulnerability patches, please refer to the security advisory on the “JenKins” site.

  • CVE-2024-23897, CVE-2024-23898: Jenkins 2.442, LTS 2.426.3
  • CVE-2024-23899: Git Server plugin in Jenkins 99.101.v720e86326c09
  • CVE-2023-6147, CVE-2023-6148, CVE pending: Qualys Policy Compliance Scanning Connector plugin 1.0.6 in Jenkins
  • CVE-2024-23904 : No patch available[7]
  • CVE-2024-23905: Red Hat Dependency Analytics plugin in Jenkins 0.9.0
  • CVE-2024-23900: Matrix Project plugin in Jenkins 822.824.v14451b_c0fd42
  • CVE-2024-23901, CVE-2024-23902, CVE-2024-23903: GitLab Branch Source plugin 688.v5fa_356ee8520 in Jenkins

 

Referenced Sites

[1] Jenkins Security Advisory 2024-01-24
https://www.jenkins.io/security/advisory/2024-01-24/

[2] Git server
https://plugins.jenkins.io/git-server

[3] Matrix Project
https://plugins.jenkins.io/matrix-project/

[4] GitLab Branch Source
https://plugins.jenkins.io/gitlab-branch-source/

[5] Qualys Policy Compliance Scanning Connector
https://plugins.jenkins.io/qualys-pc/

[6] Red Hat Dependency Analytics
https://plugins.jenkins.io/redhat-dependency-analytics/

[7] Log Command
https://plugins.jenkins.io/log-command/

Tags:

Previous Post

Next Post