Severe Security Vulnerabilities Discovered in Jenkins Open Source Automation Server
March 8, 2023
A pair of severe security vulnerabilities, tracked as CVE-2023-27898 and CVE-2023-27905, have been discovered in the Jenkins open source automation server. According to cloud security firm Aqua, all versions of Jenkins prior to 2.319.2 are vulnerable and exploitable. "Exploiting these vulnerabilities could allow an unauthenticated attacker to execute arbitrary code on the victim's Jenkins server, potentially leading to a complete compromise of the Jenkins server," Aqua said in a report. The flaws are the result of how Jenkins processes plugins available from the Update Center, potentially enabling a threat actor to upload a plugin with a malicious payload and trigger a cross-site scripting (XSS) attack. Patches have been released by Jenkins for Update Center and server, and users are recommended to update their Jenkins server to the latest available version to mitigate potential risks.
- Surge in ICS Attacks Linked to Bitrix CMS Vulnerability
- Ongoing Exploitation of Critical Vulnerabilities in VMware Cloud Foundation and NSX-V
- LastPass Suffers Second Attack After Failing to Update Plex
- Microsoft Word Vulnerability CVE-2023-21716 Exploitable
- Wago Patches Critical Vulnerabilities in PLCs
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.