CVE-2024-23898 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2024-23898

CVE-2024-23898

January 24, 2024

Jenkins 2.217 through 2.441 (both inclusive), LTS 2.222.1 through 2.426.2 (both inclusive) does not perform origin validation of requests made through the CLI WebSocket endpoint, resulting in a cross-site WebSocket hijacking (CSWSH) vulnerability, allowing attackers to execute CLI commands on the Jenkins controller.

Affected Packages

org.jenkins-ci.main:jenkins-core (JAVA):

Affected version(s) >=2.427 <2.442

Fix Suggestion:

Update to version 2.442

org.jenkins-ci.main:jenkins-core (JAVA):

Affected version(s) >=2.217 <2.426.3

Fix Suggestion:

Update to version 2.426.3

Related Resources (7)

https://github.com/jenkinsci/jenkins/commit/de450967f38398169650b55c002f1229a3fcdb1b

http://www.openwall.com/lists/oss-security/2024/01/24/6

https://nvd.nist.gov/vuln/detail/CVE-2024-23898

https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3315

https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/

https://github.com/jenkinsci/jenkins

https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins

Do you need more information?

CVSS v4

Base Score:

8.7

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

PASSIVE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

HIGH

Vulnerable System Availability

HIGH

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Weakness Type (CWE)

Origin Validation Error

CWE-346

EPSS

Base Score:

36.87

Products

Solutions

Resources

Company

Compare

Developer Tools