CVE-2024-23898
published 2024-01-24CVE-2024-23898: Jenkins 2.217 through 2.441 (both inclusive), LTS 2.222.1 through 2.426.2 (both inclusive) does not perform origin validation of requests made through the CLI…
PriorityP266high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
66.92%
99.2th percentile
Jenkins 2.217 through 2.441 (both inclusive), LTS 2.222.1 through 2.426.2 (both inclusive) does not perform origin validation of requests made through the CLI WebSocket endpoint, resulting in a cross-site WebSocket hijacking (CSWSH) vulnerability, allowing attackers to execute CLI commands on the Jenkins controller.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | git_server_plugin | — | — |
| jenkins | gitlab_branch_source_plugin | — | — |
| jenkins | jenkins | 2.217 – 2.441 | — |
| jenkins | jenkins | 2.222.1 – 2.426.2 | — |
| jenkins | jenkins_core | — | — |
| jenkins | jenkins_lts | — | — |
| jenkins | jenkins_uses_the_strict_crumb_issuer_plugin | — | — |
| jenkins | jenkins_weekly | — | — |
| jenkins | log_command_plugin | — | — |
| jenkins | matrix_project_plugin | — | — |
| jenkins | qualys_policy_compliance_scanning_connector_plugin | — | — |
| jenkins | red_hat_dependency_analytics_plugin | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability targets the Jenkins CLI WebSocket endpoint — monitor for cross-origin WebSocket upgrade requests (HTTP 101) to the Jenkins CLI WebSocket path from unexpected or untrusted origins ↗
- →Attackers exploit this by tricking authenticated users into clicking a malicious link — look for WebSocket connections to Jenkins CLI endpoint originating from external/third-party referrer domains ↗
- →Active exploitation has been observed in the wild — prioritize detection on internet-exposed Jenkins instances running versions 2.217–2.441 or LTS 2.222.1–2.426.2 ↗
- →Multiple public PoC exploits are available on GitHub for the companion CVE-2024-23897 (arbitrary file read / RCE), which is frequently chained with CVE-2024-23898 — monitor for scanning activity and CLI command execution on Jenkins controllers ↗
- ·Affected versions are Jenkins core 2.217 through 2.441 (inclusive) and LTS 2.222.1 through 2.426.2 (inclusive); fixed in 2.442 and LTS 2.426.3 ↗
- ·Red Hat OpenShift Container Platform 3.11 ships an affected Jenkins package and has marked it 'Will not fix' — deployments on this platform remain permanently vulnerable and require compensating controls ↗
- ·Browser-level SameSite cookie policies may partially mitigate the CSWSH attack, but enforcement is not universal across all browsers/configurations ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Cross-site WebSocket hijacking vulnerability in the Jenkins CLI
ghsa·2024-01-24
CVE-2024-23898 [HIGH] CWE-346 Cross-site WebSocket hijacking vulnerability in the Jenkins CLI
Cross-site WebSocket hijacking vulnerability in the Jenkins CLI
Jenkins has a built-in command line interface (CLI) to access Jenkins from a script or shell environment. Since Jenkins 2.217 and LTS 2.222.1, one of the ways to communicate with the CLI is through a WebSocket endpoint. This endpoint relies on the default Jenkins web request authentication functionality, like HTTP Basic authentication with API tokens, or session cookies. This endpoint is enabled when running on a version of Jetty for which Jenkins supports WebSockets. This is the case when using the provided native installers, packages, or the Docker containers, as well as when running Jenkins with the command java -jar jenkins.war.
Jenkins 2.217 through 2.441 (both inclusive), LTS 2.222.1 through 2.426.2 (both inclusive) do
OSV
Cross-site WebSocket hijacking vulnerability in the Jenkins CLI
osv·2024-01-24
CVE-2024-23898 [HIGH] Cross-site WebSocket hijacking vulnerability in the Jenkins CLI
Cross-site WebSocket hijacking vulnerability in the Jenkins CLI
Jenkins has a built-in command line interface (CLI) to access Jenkins from a script or shell environment. Since Jenkins 2.217 and LTS 2.222.1, one of the ways to communicate with the CLI is through a WebSocket endpoint. This endpoint relies on the default Jenkins web request authentication functionality, like HTTP Basic authentication with API tokens, or session cookies. This endpoint is enabled when running on a version of Jetty for which Jenkins supports WebSockets. This is the case when using the provided native installers, packages, or the Docker containers, as well as when running Jenkins with the command java -jar jenkins.war.
Jenkins 2.217 through 2.441 (both inclusive), LTS 2.222.1 through 2.426.2 (both inclusive) do
Jenkins
Jenkins Security Advisory 2024-01-24
vendor_jenkins·2024-01-24·CVSS 9.8
CVE-2023-6147 [CRITICAL] Jenkins Security Advisory 2024-01-24
Title: Jenkins Security Advisory 2024-01-24
Jenkins Security Advisory 2024-01-24
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Jenkins (core)
Git server
Plugin
GitLab Branch Source
Plugin
Log Command
Plugin
Matrix Project
Plugin
Qualys Policy Compliance Scanning Connector
Plugin
Red Hat Depen
Red Hat
jenkins: cross-site WebSocket hijacking
vendor_redhat·2024-01-09·CVSS 8.8
CVE-2024-23898 [HIGH] CWE-79 jenkins: cross-site WebSocket hijacking
jenkins: cross-site WebSocket hijacking
Jenkins 2.217 through 2.441 (both inclusive), LTS 2.222.1 through 2.426.2 (both inclusive) does not perform origin validation of requests made through the CLI WebSocket endpoint, resulting in a cross-site WebSocket hijacking (CSWSH) vulnerability, allowing attackers to execute CLI commands on the Jenkins controller.
A flaw was found in Jenkins where websocket access to the CLI does not perform origin validation of requests when they are made through the websocket endpoint.
Package: jenkins (Red Hat OpenShift Container Platform 3.11) - Will not fix
No detection rules found.
No public exploits indexed.
http://www.openwall.com/lists/oss-security/2024/01/24/6https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3315https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/http://www.openwall.com/lists/oss-security/2024/01/24/6https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3315https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/
2024-01-24
Published