Lucene search

K
cvelistJenkinsCVELIST:CVE-2024-23898
HistoryJan 24, 2024 - 5:52 p.m.

CVE-2024-23898

2024-01-2417:52:23
jenkins
www.cve.org
3
cve-2024-23898
jenkins
cswsh
vulnerability
websocket
hijacking
cli
commands

8.9 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

30.9%

Jenkins 2.217 through 2.441 (both inclusive), LTS 2.222.1 through 2.426.2 (both inclusive) does not perform origin validation of requests made through the CLI WebSocket endpoint, resulting in a cross-site WebSocket hijacking (CSWSH) vulnerability, allowing attackers to execute CLI commands on the Jenkins controller.

CNA Affected

[
  {
    "defaultStatus": "affected",
    "product": "Jenkins",
    "vendor": "Jenkins Project",
    "versions": [
      {
        "lessThan": "2.217",
        "status": "unaffected",
        "version": "0",
        "versionType": "maven"
      },
      {
        "lessThan": "*",
        "status": "unaffected",
        "version": "2.442",
        "versionType": "maven"
      },
      {
        "lessThan": "2.426.*",
        "status": "unaffected",
        "version": "2.426.3",
        "versionType": "maven"
      },
      {
        "lessThan": "2.440.*",
        "status": "unaffected",
        "version": "2.440.1",
        "versionType": "maven"
      }
    ]
  }
]

8.9 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

30.9%