Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2024-43044

Опубликовано: 07 авг. 2024
Источник: redhat
CVSS3: 8.8
EPSS Средний

Описание

Jenkins 2.470 and earlier, LTS 2.452.3 and earlier allows agent processes to read arbitrary files from the Jenkins controller file system by using the ClassLoaderProxy#fetchJar method in the Remoting library.

A vulnerability was found in the Remoting library in Jenkins core, which handles communication between the Jenkins controller and agents. The ClassLoaderProxy#fetchJar function may allow malicious agents or attackers with Agent/Connect permission to read arbitrary files from the Jenkins controller's file system due to insufficient path restrictions permissions, which could lead to Privilege Escalation and Remote Code Execution (RCE)

Отчет

This vulnerability is classified as critical because it could allow remote code execution (RCE). Additionally, this vulnerability may enable an attacker to read arbitrary files from the Jenkins controller, resulting in a significant exposure of confidential information, compromising the overall integrity of the Jenkins instance.

Меры по смягчению последствий

Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat OpenShift Container Platform 3.11jenkinsOut of support scope
OCP-Tools-4.12-RHEL-8jenkinsFixedRHSA-2024:541014.08.2024
OCP-Tools-4.12-RHEL-8jenkins-2-pluginsFixedRHSA-2024:541014.08.2024
OCP-Tools-4.13-RHEL-8jenkinsFixedRHSA-2024:540614.08.2024
OCP-Tools-4.13-RHEL-8jenkins-2-pluginsFixedRHSA-2024:540614.08.2024
OCP-Tools-4.14-RHEL-8jenkinsFixedRHSA-2024:541114.08.2024
OCP-Tools-4.14-RHEL-8jenkins-2-pluginsFixedRHSA-2024:541114.08.2024
OCP-Tools-4.15-RHEL-8jenkinsFixedRHSA-2024:540514.08.2024
OCP-Tools-4.15-RHEL-8jenkins-2-pluginsFixedRHSA-2024:540514.08.2024

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Critical
Дефект:
CWE-22
https://bugzilla.redhat.com/show_bug.cgi?id=2303466jenkins: Arbitrary file read vulnerability through agent connections can lead to RCE

EPSS

Процентиль: 98%
0.53187
Средний

8.8 High

CVSS3

Связанные уязвимости

nvd логотип

CVE-2024-43044

CVSS3: 8.8
nvd
11 месяцев назад

Jenkins 2.470 and earlier, LTS 2.452.3 and earlier allows agent processes to read arbitrary files from the Jenkins controller file system by using the `ClassLoaderProxy#fetchJar` method in the Remoting library.

debian логотип

CVE-2024-43044

CVSS3: 8.8
debian
11 месяцев назад

Jenkins 2.470 and earlier, LTS 2.452.3 and earlier allows agent proces ...

github логотип

GHSA-h856-ffvv-xvr4

CVSS3: 9
github
11 месяцев назад

Jenkins Remoting library arbitrary file read vulnerability

fstec логотип

BDU:2024-06145

CVSS3: 9
fstec
11 месяцев назад

Уязвимость библиотеки Remoting сервера автоматизации Jenkins, позволяющая выполнить произвольный код путём

redos логотип

ROS-20240918-10

CVSS3: 6.3
redos
9 месяцев назад

Множественные уязвимости jenkins

EPSS

Процентиль: 98%
0.53187
Средний

8.8 High

CVSS3