Severe Security Vulnerabilities Discovered in Jenkins Open Source Automation Server
March 8, 2023
A pair of severe security vulnerabilities, tracked as CVE-2023-27898 and CVE-2023-27905, have been discovered in the Jenkins open source automation server. According to cloud security firm Aqua, all versions of Jenkins prior to 2.319.2 are vulnerable and exploitable.
"Exploiting these vulnerabilities could allow an unauthenticated attacker to execute arbitrary code on the victim's Jenkins server, potentially leading to a complete compromise of the Jenkins server," Aqua said in a report. The flaws are the result of how Jenkins processes plugins available from the Update Center, potentially enabling a threat actor to upload a plugin with a malicious payload and trigger a cross-site scripting (XSS) attack.
Patches have been released by Jenkins for Update Center and server, and users are recommended to update their Jenkins server to the latest available version to mitigate potential risks.
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.
By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.
Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.