Skip to content

Jenkins Server Vulnerabilities Chained for Remote Code Execution  “The Unexpected Benefits of Working Remotely: How Working from Home Can Boost Your Career” “Discover the Unforeseen Advantages of Working From Home: Enhance Your Career with Remote Employment!”

Cybersecurity firm Aqua Security warns that two recently patched vulnerabilities affecting Jenkins servers, tracked as CVE-2023-27898 and CVE-2023-27905, can be chained together to achieve remote code execution. The first vulnerability is a high-severity XSS bug that affects Jenkins versions 2.270 through 2.393 and long-term support (LTS) releases 2.277.1 through 2.375.3. The vulnerability exists because Jenkins “does not escape the Jenkins version a plugin depends on when rendering the error message stating its incompatibility with the current version of Jenkins in the plugin manager.” An attacker could exploit this vulnerability by providing a manipulated plugin, and installation of the plugin is not necessary for successful exploitation.

The second vulnerability, CVE-2023-27905, is a medium-severity XSS bug that impacts update-center2, a tool that generates Jenkins update sites hosted on updates.jenkins.io. The tool renders the required Jenkins core version on plugin download index pages, retrieving this version from plugin metadata without sanitization. An attacker could exploit this vulnerability by providing a plugin for hosting.

Aqua Security states that a remote attacker could chain these issues to achieve arbitrary code execution on a vulnerable server, without authentication. This attack chain has been named CorePlague and could lead to a full compromise of the Jenkins server.

To prevent exploitation of these vulnerabilities, Jenkins released a fix for update-center2 on February 15, and this week released updates for Jenkins core to resolve these two flaws along with five other high- and medium-severity bugs. Further details can be found in the Jenkins security advisory.

In conclusion, the two recently patched vulnerabilities affecting Jenkins servers can be chained together to achieve remote code execution. To prevent exploitation of these vulnerabilities, Jenkins released a fix and updates for Jenkins core to address the flaws.

Key Points:
• Two recently patched vulnerabilities affecting Jenkins servers can be chained to achieve remote code execution.
• CVE-2023-27898 is a high-severity XSS bug impacting Jenkins versions 2.270 through 2.393 and LTS releases 2.277.1 through 2.375.3.
• CVE-2023-27905 is a medium-severity XSS bug impacting update-center2, a tool that generates Jenkins update sites.
• A remote attacker could chain these issues to achieve arbitrary code execution on a vulnerable server, without authentication.
• Jenkins released a fix and updates for Jenkins core to address the flaws.

Leave a Reply

Your email address will not be published. Required fields are marked *