QID 730360
Date Published: 2022-02-17
QID 730360: Jenkins Denial of Service (DoS) Vulnerability (Jenkins Security Advisory 2022-02-09)
Jenkins is an open-source automation server written in Java. Jenkins helps to automate the non-human part of the software development process, with continuous integration and facilitating technical aspects of continuous delivery.
This allows attackers able to submit crafted XML files to Jenkins to be parsed as configuration, e.g. through the POST config.xml API, to cause a denial of service (DoS).
Affected Versions:
Jenkins weekly up to and including 2.333
Jenkins LTS up to and including LTS 2.319.2
Fixed Versions:
Jenkins weekly should be updated to version 2.334
Jenkins LTS should be updated to version 2.319.3
QID Detection Logic(Unauthenticated):
This QID checks for vulnerable version by sending a crafted GET request to Jenkins. This QID also detects the vulnerable version from login page or HTTP header.
A successful exploit could be resulting in a denial of service (DoS).
For further details refer to Jenkins Security Advisory 2022-01-12Workaround:
Denial of service is detected via unexpectedly long-running collection-related operations. In case of very complex configurations, it is possible that there are false positive detections. Set the Java system property hudson.util.XStream2.collectionUpdateLimit to a number of seconds that a given XML file can take to load collections. Use -1 to disable this protection entirely.
- Jenkins Security Advisory 2022-02-09 -
www.jenkins.io/security/advisory/2022-02-09/
CVEs related to QID 730360
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| Jenkins Security Advisory 2022-01-12 |
www.jenkins.io/security/advisory/2022-02-09/ |