Jenkins has released an urgent advisory detailing two vulnerabilities, that expose Jenkins instances to arbitrary file read and unauthorized access risks,
The critical one of the two vulnerabilities, tracked as CVE-2024-43044, allows attackers to execute arbitrary code remotely on Jenkins controllers. This vulnerability stems from a flaw in the Remoting library, which is used for communication between Jenkins controllers and agents.
An attacker can read arbitrary files from the Jenkins controller’s file system, potentially gaining access to sensitive configuration data, credentials, or even source code. The potential impact of this vulnerability is considerable, as it could enable attackers to take complete control of a Jenkins instance and its associated build processes.
The second vulnerability, tracked as CVE-2024-43045, allows unauthorized access to users’ “My Views,” which are personalized dashboards in Jenkins. This vulnerability could expose sensitive information and allow attackers to modify these views, potentially disrupting workflows or causing confusion. While not as severe as the critical RCE vulnerability, this issue still poses a significant risk to the privacy and integrity of Jenkins users’ data.
Affected Jenkins versions are as follows
- Version 2.470 (weekly) – upgrade to 2.471 (weekly),
- Version 2.452.3 (LTS)- upgrade to 2.452.4, and 2.462.1 (LTS)
All Jenkins users are strongly urged to update their installations immediately to mitigate the risk of exploitation.
