Jenkins warns of critical flaw exposing servers to remote code execution

Jenkins has issued an advisory to address two vulnerabilities, one critical in its popular open-source automation server:

• CVE-2024-43044 (CVSS score 9) - Arbitrary File Read Vulnerability. This vulnerability is due to a flaw in the Remoting library, which facilitates communication between Jenkins controllers and agents. The vulnerability allows attackers with Agent/Connect permission to read arbitrary files from the Jenkins controller’s file system. By exploiting this flaw, attackers can access sensitive information such as configuration data, credentials, or source code, and potentially execute arbitrary code remotely on the Jenkins controller.
  • Affected Versions: Jenkins versions up to and including 2.470 (weekly) and 2.452.3 (LTS).
  • Remediation: Update to Jenkins versions 2.471 (weekly), 2.452.4, or 2.462.1 (LTS).
• CVE-2024-43045 (CVSS score 5.4) - Missing Permission Check exposing Unauthorized Access to "My Views". This vulnerability involves an HTTP endpoint in Jenkins that fails to perform a necessary permission check. As a result, attackers with Overall/Read permission can access other users' personalized dashboards, known as "My Views." Additionally, attackers with global View/Configure and View/Delete permissions could modify or delete these views, leading to potential disruptions in workflows and unauthorized access to user-specific data.
  • Affected Versions: Jenkins versions up to and including 2.470 (weekly) and 2.452.3 (LTS).
  • Remediation: Update to Jenkins versions 2.471 (weekly), 2.452.4, or 2.462.1 (LTS).

All Jenkins users are strongly advised to upgrade their installations to Jenkins versions 2.471 (weekly), 2.452.4, or 2.462.1 (LTS).