QID 731112
Date Published: 2024-01-31
QID 731112: Jenkins Core Cross-Site WebSocket Hijacking Vulnerability (SECURITY-3315 Jenkins Security Advisory 2024-01-24)
Jenkins is an open-source automation server written in Java. Jenkins helps to automate the non-human part of the software development process, with continuous integration and facilitating technical aspects of continuous delivery.
Jenkins 2.217 through 2.441 (both inclusive), LTS 2.222.1 through 2.426.2 (both inclusive) does not perform origin validation of requests made through the CLI WebSocket endpoint, resulting in a cross-site WebSocket hijacking (CSWSH) vulnerability, allowing attackers to execute CLI commands on the Jenkins controller.
Affected Versions:
Jenkins weekly from 2.217 up to and including 2.441.
Jenkins LTS from 2.222.1 up to and including LTS 2.426.2.
Fixed Versions:
Jenkins weekly should be updated to version 2.442.
Jenkins LTS should be updated to version 2.426.3.
QID Detection Logic (Unauthenticated):
This QID detects vulnerable versions of Jenkins core from the HTTP response header.
Note: This QID is marked as Practice as the vulnerability has a workaround for the users to mitigate this vulnerability without upgrading to the latest version.
A successful exploit could be resulting in Cross-site WebSocket hijacking vulnerability in the CLI.
For further details refer to SECURITY-3315 Jenkins Security Advisory 2024-01-24Workaround:
Disabling CLI access and Preventing WebSocket access using a reverse proxy helps to mitigate some or all of the impact.
- Jenkins Security Advisory 2024-01-24 -
www.jenkins.io/security/advisory/2024-01-24/
CVEs related to QID 731112
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| SECURITY-3315 Jenkins Security Advisory 2024-01-24 |
www.jenkins.io/security/advisory/2024-01-24/ |