QID 730958
Date Published: 2023-10-31
QID 730958: Jenkins HTTP/2 Denial of Service (DoS) Vulnerability (Jenkins Security Advisory 2023-10-18)
Jenkins is an open-source automation server written in Java. Jenkins helps to automate the non-human part of the software development process, with continuous integration and facilitating technical aspects of continuous delivery.
CVE-2023-36478, CVE-2023-44487: Jenkins 2.427 and earlier, LTS 2.414.2 and earlier bundles versions of Jetty allow unauthenticated attackers to cause a denial of service.
Affected Versions:
Jenkins weekly up to and including 2.427
Jenkins LTS up to and including 2.414.2
Fixed Versions:
Jenkins weekly should be updated to version 2.428
Jenkins LTS should be updated to version 2.414.3
NOTE:
This only affects instances that enable HTTP/2, typically using the --http2Port argument to java -jar jenkins.war or corresponding options in service configuration files. It is disabled by default in all native installers and the Docker images provided by the Jenkins project.
QID Detection Logic(Unauthenticated):
This QID checks for vulnerable version by sending a crafted GET request to Jenkins. This QID also detects the vulnerable version from login page or HTTP header.
Successful exploitation of these vulnerabilities allow unauthenticated attackers to cause a denial of service.
For further details refer to Jenkins Security Advisory 2023-10-18Workaround:
Administrators unable to update to these releases of Jenkins (or newer) are advised to disable HTTP/2.
- Jenkins Security Advisory 2023-10-18 -
jenkins.io/security/advisory/2023-10-18/
CVEs related to QID 730958
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| Jenkins Security Advisory 2023-10-18 |
jenkins.io/security/advisory/2023-10-18/ |