<p>Upgrade <code>org.jenkins-ci.main:jenkins-core</code> to version 2.426.3, 2.440.1, 2.442 or higher.</p>

Origin Validation Error Affecting org.jenkins-ci.main:jenkins-core package, versions [,2.426.3) [2.427,2.440.1) [2.441,2.442)

Threat Intelligence

0.07% (33^rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JAVA-ORGJENKINSCIMAIN-6191175
published 26 Jan 2024
disclosed 24 Jan 2024
credit Yaniv Nizry

Report a new vulnerability Found a mistake?

Introduced: 24 Jan 2024

CVE-2024-23898 Open this link in a new tab CWE-346 Open this link in a new tab

How to fix?

Upgrade org.jenkins-ci.main:jenkins-core to version 2.426.3, 2.440.1, 2.442 or higher.

Overview

org.jenkins-ci.main:jenkins-core is an open source automation server.

Affected versions of this package are vulnerable to Origin Validation Error due to a lack of origin validation on the CLI WebSocket endpoint. An attacker can execute arbitrary CLI commands on the Jenkins controller by exploiting the cross-site WebSocket hijacking vulnerability.

Note:

Jenkins does not set an explicit SameSite attribute for session cookies. This can allow cross-site requests to make use of the session cookie, i.e., those requests are sent with the logged-in user’s authentication.

Workaround

Prevent WebSocket access using a reverse proxy
Disable CLI access

References

CVSS Scores

version 3.1

Attack Vector (AV)

Network
Attack Complexity (AC)

Low
Privileges Required (PR)

None
User Interaction (UI)

Required

Scope (S)

Unchanged

Confidentiality (C)

High
Integrity (I)

High
Availability (A)

High

Origin Validation Error Affecting org.jenkins-ci.main:jenkins-core package, versions [,2.426.3) [2.427,2.440.1) [2.441,2.442)

Severity

CVSS assessment made by Snyk's Security Team