| VID |
210283 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
According to its its self-reported version number, the version of Jenkins running on the remote web server is Jenkins LTS prior to 2.452.4 or Jenkins weekly prior to 2.471. It is, therefore, affected by multiple vulnerabilities:
- Jenkins 2.470 and earlier, LTS 2.452.3 and earlier allows agent processes to read arbitrary files from the Jenkins controller file system by using the `ClassLoaderProxy#fetchJar` method in the Remoting library. (CVE-2024-43044)
- Jenkins 2.470 and earlier, LTS 2.452.3 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to access other users' My Views. (CVE-2024-43045)
* References:
https://jenkins.io/security/advisory/2024-08-07
* Platforms Affected:
Jenkins LTS all versions equal to or lower than 2.452.4
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of Jenkins LTS (2.452.4 or later), available from the Jenkins Software Foundation download site, https://jenkins.io/download |
| Related URL |
CVE-2024-43044,CVE-2024-43045 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
