CVE-2024-23898

EPSS 26.46%
Published 24.01.2024 18:15:09
Last modified 21.11.2024 08:58:39
Source jenkinsci-cert@googlegroups.co
Teams watchlist Login
Open Login

Jenkins 2.217 through 2.441 (both inclusive), LTS 2.222.1 through 2.426.2 (both inclusive) does not perform origin validation of requests made through the CLI WebSocket endpoint, resulting in a cross-site WebSocket hijacking (CSWSH) vulnerability, allowing attackers to execute CLI commands on the Jenkins controller.

Affected products Warnungen 0 Metrics 2 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Jenkins ≫ Jenkins SwEdition- Version >= 2.217 <= 2.441

Jenkins ≫ Jenkins SwEditionlts Version >= 2.222.1 <= 2.426.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	26.46%	0.962

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-346 Origin Validation Error

The product does not properly verify that the source of data or communication is valid.

http://www.openwall.com/lists/oss-security/2024/01/24/6

https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/

https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3315

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-23898

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-23898

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-23898

EUVD