{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2024-014.pdf"
    },
    "title": "Critical Remote Code Execution Vulnerability in Jenkins",
    "serial_number": "2024-014",
    "publish_date": "30-01-2024 09:53:22",
    "description": "On January 24, 2024, Jenkins issued fixes for several vulnerabilities, including CVE-2024-23897, a critical vulnerability that could allow an attacker to achieve remote code execution. The advisory published provides detailed information on various attack scenarios, exploitation pathways, descriptions of the fixes, and potential workarounds for those unable to immediately apply the security updates.<br>\nMultiple proof-of-concept (PoC) exploits for CVE-2024-23897 are now available.<br>\n",
    "url_title": "2024-014",
    "content_markdown": "---\ntitle: 'Critical Remote Code Execution Vulnerability in\u00a0Jenkins'\nnumber: '2024-014'\nversion: '1.1'\noriginal_date: 'January 24, 2024'\ndate: 'January 30, 2024'\n---\n\n_History:_\n\n* _29/01/2024 --- v1.0 -- Initial publication_\n* _30/01/2024 --- v1.1 -- Fix versions in affected products_\n\n# Summary\n\nOn January 24, 2024, Jenkins issued fixes for several vulnerabilities, including **CVE-2024-23897**, a critical vulnerability that could allow an attacker to achieve remote code execution. The advisory published provides detailed information on various attack scenarios, exploitation pathways, descriptions of the fixes, and potential workarounds for those unable to immediately apply the security updates.\n\nMultiple proof-of-concept (PoC) exploits for **CVE-2024-23897** are now available [2].\n\n# Technical Details\n\nThe vulnerability **CVE-2024-23897**, with a CVSS score of 9.8, could allow an unauthenticated attacker with `overall/read` permission to read data from arbitrary files on the Jenkins server [2].\n\nThe vulnerability **CVE-2024-23898**, with a CVSS score of 8,8, is a cross-site WebSocket hijacking issue where attackers could execute arbitrary CLI commands by tricking a user into clicking a malicious link [2].\n\nThe exploitation of these vulnerabilities could lead to admin privilege escalation and arbitrary remote code execution under certain conditions [1].\n\n# Affected Products\n\n- Jenkins weekly up to and including 2.441\n- Jenkins LTS up to and including 2.426.2\n\n# Recommendations\n\nCERT-EU recommends immediate update of affected Jenkins versions to the latest patched versions.\n\n# References\n\n[1] <https://www.jenkins.io/security/advisory/2024-01-24/index.html#SECURITY-3314>\n\n[2] <https://www.bleepingcomputer.com/news/security/exploits-released-for-critical-jenkins-rce-flaw-patch-now/>",
    "content_html": "<p><em>History:</em></p><ul><li><em>29/01/2024 --- v1.0 -- Initial publication</em></li><li><em>30/01/2024 --- v1.1 -- Fix versions in affected products</em></li></ul><h2 id=\"summary\">Summary</h2><p>On January 24, 2024, Jenkins issued fixes for several vulnerabilities, including <strong>CVE-2024-23897</strong>, a critical vulnerability that could allow an attacker to achieve remote code execution. The advisory published provides detailed information on various attack scenarios, exploitation pathways, descriptions of the fixes, and potential workarounds for those unable to immediately apply the security updates.</p><p>Multiple proof-of-concept (PoC) exploits for <strong>CVE-2024-23897</strong> are now available [2].</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability <strong>CVE-2024-23897</strong>, with a CVSS score of 9.8, could allow an unauthenticated attacker with <code>overall/read</code> permission to read data from arbitrary files on the Jenkins server [2].</p><p>The vulnerability <strong>CVE-2024-23898</strong>, with a CVSS score of 8,8, is a cross-site WebSocket hijacking issue where attackers could execute arbitrary CLI commands by tricking a user into clicking a malicious link [2].</p><p>The exploitation of these vulnerabilities could lead to admin privilege escalation and arbitrary remote code execution under certain conditions [1].</p><h2 id=\"affected-products\">Affected Products</h2><ul><li>Jenkins weekly up to and including 2.441</li><li>Jenkins LTS up to and including 2.426.2</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU recommends immediate update of affected Jenkins versions to the latest patched versions.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.jenkins.io/security/advisory/2024-01-24/index.html#SECURITY-3314\">https://www.jenkins.io/security/advisory/2024-01-24/index.html#SECURITY-3314</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.bleepingcomputer.com/news/security/exploits-released-for-critical-jenkins-rce-flaw-patch-now/\">https://www.bleepingcomputer.com/news/security/exploits-released-for-critical-jenkins-rce-flaw-patch-now/</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}