-1.svg){kind=logo}
Jenkins customers could be at risk due to a critical security flaw. Here's what you need to know.
Background
On January 24th, 2024 Jenkins released an advisory detailing a serious security flaw (CVE-2024-0204) in their open-source automation server. Jenkins is a tool often used by organizations for software development and collaboration. The vulnerability allows a remote attacker to read files or execute arbitrary code. Corvus has observed similar vulnerabilities lead to exploitation in the past. Security patches have been released and should be applied as soon as possible.
Impact
The vulnerability affects Jenkins instances running the following versions:
- Jenkins 2.441 and earlier
- Jenkins LTS 2.426.2 and earlier
Attackers can read files and execute arbitrary code or commands against unpatched devices, gaining a foothold into the network. From there the attacker would be able to conduct further exploitation and potentially move around the network. Impacted organizations should apply a security patch immediately.
Next Steps for Jenkins Customers:
- Download and install the latest version of the affected products:
- Jenkins should be updated to Jenkins 2.442
- Jenkins LTS should be updated to version 2.426.3
- If you aren’t able to patch, the Jenkins team has provided the following mitigation option:
- Disable access to the CLI (see here for documentation on this workaround).