Jenkins has addressed multiple vulnerabilities impacting both its core system and associated plugins. These flaws, ranging from denial of service to cross-site scripting, pose significant risks to Jenkins users if left unpatched.
The XSS vulnerability tracked as CVE-2024-54003 with a CVSS 8.0 has been discovered in the Simple Queue Plugin that allows attackers with “View/Create” permission to inject malicious scripts that can be executed by other users, potentially leading to data theft, session hijacking, or further system compromise.
The DoS vulnerability tracked as CVE-2024-47855 with a CVSS 7.5 has been identified in Jenkins’ JSON processing library that allows attackers with Overall/Read permission to keep HTTP requests handling threads busy indefinitely, using system resources and preventing legitimate users from using Jenkins.
The path traversal vulnerability tracked as CVE-2024-54004 with a CVSS score of 4.3 in Filesystem List Parameter Plugin that allows attackers with “Item/Configure” permission to “enumerate file names on the Jenkins controller file system.
Jenkins has released updated versions to address these vulnerabilities. Users are strongly urged to upgrade to the latest versions immediately:
- Jenkins weekly: Update to version 2.487
- Jenkins LTS: Update to version 2.479.2
- Filesystem List Parameter Plugin: Update to version 0.0.15
- Simple Queue Plugin: Update to version 1.4.5
Organizations should prioritize these updates to ensure the security and integrity of their CI/CD pipelines.
