Researchers from Aqua Nautilus have identified a series of flaws in the widely used Jenkins Server and Update Center that they have termed CorePlague (CVE-2023-27898 and CVE-2023-27905). An unauthenticated attacker might be able to execute arbitrary code on the victim’s Jenkins server by exploiting these vulnerabilities. Successful exploitation could result in a complete compromise of the Jenkins server.
Jenkins is a Java-based open-source automation server that facilitates technical components of continuous delivery while assisting in automating the non-human aspects of the software development process.
Description
The advisory states, “Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.375.3 (both inclusive) does not escape the Jenkins version a plugin depends on when rendering the error message stating its incompatibility with the current version of Jenkins in the plugin manager.”
It is important to note that exploitation of this vulnerability does not require the manipulated plugin to be installed.
Attackers upload malicious core versions of the Jenkins plugin to the Jenkins Update Center, exploiting the vulnerabilities through a stored XSS flaw.
The XSS is activated once the victim accesses the Available Plugin Manager on their Jenkins Server, enabling attackers to use the Script Console API to execute arbitrary code on the Jenkins Server.
Affected Versions
Jenkins LTS up to and including 2.375.3 are affected by this vulnerability.
Mitigation
Customers should upgrade to Jenkins LTS 2.375.4 or 2.387.1 to patch the vulnerability.
Please refer to the Jenkins Security Advisory 2023-03-08 for more information.
Qualys Detection
Qualys customers can scan their devices with QID 730750 to detect vulnerable assets. This QID checks for vulnerable version of Jenkins by sending a GET request to /login page and checking the version from the response received.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://www.jenkins.io/security/advisory/2023-03-08/
https://blog.aquasec.com/jenkins-server-vulnerabilities