8014 matches found
CVE-2024-23898
A flaw was found in Jenkins where websocket access to the CLI does not perform origin validation of requests when they are made through the websocket endpoint...
CVE-2024-23897
A flaw was found in Jenkins, which uses the args4j library to parse command arguments and options on the Jenkins controller when processing CLI commands. This command parser has a feature that replaces the "@" character followed by a file path in an argument with the file’s contents expandAtFiles...
Critical Jenkins Vulnerability Exposes Servers to RCE Attacks - Patch ASAP!
The maintainers of the open-source continuous integration/continuous delivery and deployment CI/CD automation software Jenkins have resolved nine security flaws, including a critical bug that, if successfully exploited, could result in remote code execution RCE. The issue, assigned the CVE...
Moderate: Red Hat Security Advisory: OpenShift Container Platform 4.11.57 packages and security update
Red Hat OpenShift Container Platform release 4.11.57 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.11. Red Hat Product Security has rated this update as having a...
FreeBSD : jenkins -- multiple vulnerabilities (8b03d274-56ca-489e-821a-cf32f07643f0)
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 8b03d274-56ca-489e-821a-cf32f07643f0 advisory. - Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI...
Cross-site WebSocket hijacking vulnerability in the Jenkins CLI
Jenkins has a built-in command line interface CLI to access Jenkins from a script or shell environment. Since Jenkins 2.217 and LTS 2.222.1, one of the ways to communicate with the CLI is through a WebSocket endpoint. This endpoint relies on the default Jenkins web request authentication...
Arbitrary file read vulnerability in Git server Plugin can lead to RCE
Jenkins Git server Plugin uses the args4j library to parse command arguments and options on the Jenkins controller when processing Git commands received via SSH. This command parser has a feature that replaces an @ character followed by a file path in an argument with the file’s contents...
CVE-2024-23898
Jenkins 2.217 through 2.441 both inclusive, LTS 2.222.1 through 2.426.2 both inclusive does not perform origin validation of requests made through the CLI WebSocket endpoint, resulting in a cross-site WebSocket hijacking CSWSH vulnerability, allowing attackers to execute CLI commands on the Jenki...
CVE-2024-23897
Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system...
CVE-2024-23897
Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system...
CVE-2024-23898
Jenkins 2.217 through 2.441 both inclusive, LTS 2.222.1 through 2.426.2 both inclusive does not perform origin validation of requests made through the CLI WebSocket endpoint, resulting in a cross-site WebSocket hijacking CSWSH vulnerability, allowing attackers to execute CLI commands on the Jenki...
CVE-2024-23897
Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system...
Cross site scripting
Jenkins 2.217 through 2.441 both inclusive, LTS 2.222.1 through 2.426.2 both inclusive does not perform origin validation of requests made through the CLI WebSocket endpoint, resulting in a cross-site WebSocket hijacking CSWSH vulnerability, allowing attackers to execute CLI commands on the Jenki...
Design/Logic Flaw
Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system...
CVE-2024-23898
Jenkins 2.217 through 2.441 both inclusive, LTS 2.222.1 through 2.426.2 both inclusive does not perform origin validation of requests made through the CLI WebSocket endpoint, resulting in a cross-site WebSocket hijacking CSWSH vulnerability, allowing attackers to execute CLI commands on the Jenki...
CVE-2024-23898
Jenkins 2.217 through 2.441 both inclusive, LTS 2.222.1 through 2.426.2 both inclusive does not perform origin validation of requests made through the CLI WebSocket endpoint, resulting in a cross-site WebSocket hijacking CSWSH vulnerability, allowing attackers to execute CLI commands on the Jenki...
CVE-2024-23897
Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system...
CVE-2024-23897
Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system...
CVE-2024-23897
CVE-2024-23897 affects Jenkins 2.441 and earlier, and LTS 2.426.2 and earlier. The root cause is an enabled args4j-based CLI feature (expandAtFiles) that replaces an @file path in CLI arguments with the file contents, enabling read access to arbitrary files on the Jenkins controller filesystem. P...
PT-2024-1303 · Jenkins +1 · Jenkins +1
Name of the Vulnerable Software and Affected Versions: Jenkins versions 2.217 through 2.441 Jenkins LTS versions 2.222.1 through 2.426.2 Description: The issue is related to the built-in command line interface CLI of the Jenkins server, which has a weakness in its authentication procedure. This...