====================================================================== CERT-Renater Note d'Information No. 2024/VULN495 _____________________________________________________________________ DATE : 27/11/2024 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Jenkins versions prior to weekly 2.487, LTS 2.479.2, Filesystem List Parameter Plugin version prior to 0.0.15, Simple Queue Plugin version prior to 1.4.5. ===================================================================== https://www.jenkins.io/security/advisory/2024-11-27/ _____________________________________________________________________ Jenkins Security Advisory 2024-11-27 This advisory announces vulnerabilities in the following Jenkins deliverables: Jenkins (core) Filesystem List Parameter Plugin Simple Queue Plugin Descriptions Denial of service vulnerability in bundled json-lib SECURITY-3463 / CVE-2024-47855 Severity (CVSS): High Description: Jenkins uses the library org.kohsuke.stapler:json-lib to process JSON. This library is the Jenkins project’s fork of net.sf.json-lib:json-lib, which has since been renamed to org.kordamp.json:json-lib-core. Jenkins LTS 2.479.1 and earlier, 2.486 and earlier bundles org.kohsuke.stapler:json-lib 2.4-jenkins-7 or earlier. These releases are affected by CVE-2024-47855. In Jenkins (without plugins) this allows attackers with Overall/Read permission to keep HTTP requests handling threads busy indefinitely, using system resources and preventing legitimate users from using Jenkins. Additionally, the Jenkins security team has identified multiple plugins that allow attackers lacking Overall/Read permission to do the same. These plugins include SonarQube Scanner and Bitbucket. Additionally, other features of Jenkins or plugins that process user-provided JSON may be affected, resulting in those features being blocked. The fix for CVE-2024-47855 in org.kordamp.json:json-lib-core has been backported to org.kohsuke.stapler:json-lib and released in version 2.4-jenkins-8. Jenkins LTS 2.479.2, 2.487 bundles org.kohsuke.stapler:json-lib 2.4-jenkins-8. Stored XSS vulnerability in Simple Queue Plugin SECURITY-3467 / CVE-2024-54003 Severity (CVSS): High Affected plugin: simple-queue Description: Simple Queue Plugin 1.4.4 and earlier does not escape the view name. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Create permission. Simple Queue Plugin 1.4.5 escapes the view name. Path traversal vulnerability in Filesystem List Parameter Plugin SECURITY-3367 / CVE-2024-54004 Severity (CVSS): Medium Affected plugin: filesystem-list-parameter-plugin Description: Filesystem List Parameter Plugin 0.0.14 and earlier does not restrict the path used for the File system objects list Parameter. This allows attackers with Item/Configure permission to enumerate file names on the Jenkins controller file system. Filesystem List Parameter Plugin 0.0.15 ensures that paths used by the File system objects list Parameter are restricted to an allow list, with the default base directory set to $JENKINS_HOME/userContent/. The allow list can be configured to include additional custom base directories. Severity SECURITY-3367: Medium SECURITY-3463: High SECURITY-3467: High Affected Versions Jenkins weekly up to and including 2.486 Jenkins LTS up to and including 2.479.1 Filesystem List Parameter Plugin up to and including 0.0.14 Simple Queue Plugin up to and including 1.4.4 Fix Jenkins weekly should be updated to version 2.487 Jenkins LTS should be updated to version 2.479.2 Filesystem List Parameter Plugin should be updated to version 0.0.15 Simple Queue Plugin should be updated to version 1.4.5 These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated. Credit The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: Daniel Beck, CloudBees, Inc. for SECURITY-3367 Joonun Jang for SECURITY-3463 Swapna Nanda, CloudBees, Inc. for SECURITY-3467 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================