Two critical security vulnerabilities have been identified in the Jenkins open source automation server that could allow code execution on the target system.
The flaws, tracked as CVE-2023-27898 and CVE-2023-27905, affect Jenkins servers and Update Center and are collectively named. core plague By cloud security company Aqua. All Jenkins versions prior to 2.319.2 are vulnerable and exploitable.
“Exploiting these vulnerabilities could allow an unauthenticated attacker to execute arbitrary code on the victim’s Jenkins server, potentially leading to a complete compromise of the Jenkins server,” the company said. said in a report shared with The Hacker News.
This shortcoming is due to the way Jenkins handles plugins available from the update center, where threat actors upload plugins with malicious payloads to trigger cross-site scripting (XSS) attacks. It is possible.
“If the victim opens the ‘Available Plugin Manager’ on the Jenkins server, it will trigger an XSS that will allow the attacker to execute arbitrary code on the Jenkins server using the Script Console API,” said Aqua. I’m here.
This is also a case of stored XSS where JavaScript code is injected into the server, so the vulnerability can be activated without having to install the plugin or visit the plugin’s URL first. There is a nature.
Unfortunately, this vulnerability also affects self-hosted Jenkins servers, allowing the public Jenkins Update Center to be “injected by an attacker”, thus exposing the server to public exposure over the Internet. It can be exploited even in scenarios where it is not
However, this attack is based on the assumption that the rogue plugin is compatible with the Jenkins server and appears above the main feed on the “Available Plugins Manager” page.
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.
reserve a seat
According to Aqua, this can be rigged by “uploading plugins with all plugin names and popular keywords embedded in the description” or by sending requests from fake instances. You can artificially increase the number of downloads.
Following the responsible disclosure on January 24, 2023, Jenkins has released a patch for Update Center and servers. Users are encouraged to update their Jenkins servers to the latest available version to reduce potential risks.
