Jenkins Security Alert: New Security Flaws Could Allow Code Execution Attacks

1 year ago AndyC

Mar
08,
2023Ravie
Lakshmanan

A
pair
of
severe
security
vulnerabilities
have
been
disclosed
in
the
Jenkins
open
source
automation
server
that
could
lead
to
code
execution
on
targeted
systems.

Jenkins Security Alert: New Security Flaws Could Allow Code Execution Attacks



Mar
08,
2023Ravie
Lakshmanan


Jenkins Security Alert: New Security Flaws Could Allow Code Execution Attacks

A
pair
of
severe
security
vulnerabilities
have
been
disclosed
in
the
Jenkins
open
source
automation
server
that
could
lead
to
code
execution
on
targeted
systems.

The
flaws,
tracked
as

CVE-2023-27898
and

CVE-2023-27905,
impact
the
Jenkins
server
and
Update
Center,
and
have
been
collectively
christened

CorePlague
by
cloud
security
firm
Aqua.
All
versions
of
Jenkins
versions
prior
to
2.319.2
are
vulnerable
and
exploitable.

“Exploiting
these
vulnerabilities
could
allow
an
unauthenticated
attacker
to
execute
arbitrary
code
on
the
victim’s
Jenkins
server,
potentially
leading
to
a
complete
compromise
of
the
Jenkins
server,”
the
company
said
in
a

report
shared
with
The
Hacker
News.

The
shortcomings
are
the
result
of
how
Jenkins
processes
plugins
available
from
the

Update
Center,
thereby
potentially
enabling
a
threat
actor
to
upload
a
plugin
with
a
malicious
payload
and
trigger
a
cross-site
scripting
(XSS)
attack.

“Once
the
victim
opens
the
Available
Plugin
Manager
on
their
Jenkins
server,
the
XSS
is
triggered,
allowing
attackers
to
run
arbitrary
code
on
the
Jenkins
Server
utilizing
the

Script
Console
API,”
Aqua
said.

Since
it’s
also
a
case
of
stored
XSS
wherein
the
JavaScript
code
is
injected
into
the
server,
the
vulnerability
can
be
activated
without
having
to
install
the
plugin
or
even
visit
the
URL
to
the
plugin
in
the
first
place.

Troublingly,
the
flaws
could
also
affect
self-hosted
Jenkins
servers
and
be
exploited
even
in
scenarios
where
the
server
is
not
publicly
accessible
over
the
internet
since
the
public
Jenkins
Update
Center
could
be
“injected
by
attackers.”

The
attack,
however,
banks
on
the
prerequisite
that
the
rogue
plugin
is
compatible
with
the
Jenkins
server
and
is
surfaced
on
top
of
the
main
feed
on
the
“Available
Plugin
Manager”
page.


WEBINAR

Discover
the
Hidden
Dangers
of
Third-Party
SaaS
Apps

Are
you
aware
of
the
risks
associated
with
third-party
app
access
to
your
company’s
SaaS
apps?
Join
our
webinar
to
learn
about
the
types
of
permissions
being
granted
and
how
to
minimize
risk.

RESERVE
YOUR
SEAT

This,
Aqua
said,
can
be
rigged
by
“uploading
a
plugin
that
contains
all
plugin
names
and
popular
keywords
embedded
in
the
description,”
or
artificially
boost
the
download
counts
of
the
plugin
by
submitting
requests
from
fake
instances.

Following
responsible
disclosure
on
January
24,
2023,
patches
have
been
released
by
Jenkins
for

Update
Center
and

server.
Users
are
recommended
to
update
their
Jenkins
server
to
the
latest
available
version
to
mitigate
potential
risks.

Found
this
article
interesting?
Follow
us
on

Twitter


and

LinkedIn
to
read
more
exclusive
content
we
post.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

More Stories

Foxit PDF Reader Flaw Exploited by Hackers to Deliver Diverse Malware Arsenal

Foxit PDF Reader Flaw Exploited by Hackers to Deliver Diverse Malware Arsenal

3 hours ago AndyC
Defending Your Commits From Known CVEs With GitGuardian SCA And Git Hooks

Defending Your Commits From Known CVEs With GitGuardian SCA And Git Hooks

3 hours ago AndyC
Cyber Criminals Exploit GitHub and FileZilla to Deliver Cocktail Malware

Cyber Criminals Exploit GitHub and FileZilla to Deliver Cocktail Malware

3 hours ago AndyC
Latrodectus Malware Loader Emerges as IcedID's Successor in Phishing Campaigns

Latrodectus Malware Loader Emerges as IcedID’s Successor in Phishing Campaigns

9 hours ago AndyC
Chinese Nationals Arrested for Laundering Million in Pig Butchering Crypto Scam

Chinese Nationals Arrested for Laundering $73 Million in Pig Butchering Crypto Scam

1 day ago AndyC
Grandoreiro Banking Trojan Resurfaces, Targeting Over 1,500 Banks Worldwide

Grandoreiro Banking Trojan Resurfaces, Targeting Over 1,500 Banks Worldwide

1 day ago AndyC

You may have missed

Strengthen Your Security Operations: MITRE ATT&CK Mapping in Cisco XDR

3 hours ago AndyC
Two students uncovered a flaw that allows to use laundry machines for free

Two students uncovered a flaw that allows to use laundry machines for free

3 hours ago AndyC

IBM Sells Cybersecurity Group – Schneier on Security

3 hours ago AndyC
Foxit PDF Reader Flaw Exploited by Hackers to Deliver Diverse Malware Arsenal

Foxit PDF Reader Flaw Exploited by Hackers to Deliver Diverse Malware Arsenal

3 hours ago AndyC
Defending Your Commits From Known CVEs With GitGuardian SCA And Git Hooks

Defending Your Commits From Known CVEs With GitGuardian SCA And Git Hooks

3 hours ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.