Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2024-43044

Опубликовано: 07 авг. 2024
Источник: redhat
CVSS3: 8.8

Описание

Jenkins 2.470 and earlier, LTS 2.452.3 and earlier allows agent processes to read arbitrary files from the Jenkins controller file system by using the ClassLoaderProxy#fetchJar method in the Remoting library.

A vulnerability was found in the Remoting library in Jenkins core, which handles communication between the Jenkins controller and agents. The ClassLoaderProxy#fetchJar function may allow malicious agents or attackers with Agent/Connect permission to read arbitrary files from the Jenkins controller's file system due to insufficient path restrictions permissions, which could lead to Privilege Escalation and Remote Code Execution (RCE)

Отчет

This vulnerability is classified as critical because it could allow remote code execution (RCE). Additionally, this vulnerability may enable an attacker to read arbitrary files from the Jenkins controller, resulting in a significant exposure of confidential information, compromising the overall integrity of the Jenkins instance.

Меры по смягчению последствий

Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat OpenShift Container Platform 3.11jenkinsOut of support scope
OCP-Tools-4.12-RHEL-8jenkinsFixedRHSA-2024:541014.08.2024
OCP-Tools-4.12-RHEL-8jenkins-2-pluginsFixedRHSA-2024:541014.08.2024
OCP-Tools-4.13-RHEL-8jenkinsFixedRHSA-2024:540614.08.2024
OCP-Tools-4.13-RHEL-8jenkins-2-pluginsFixedRHSA-2024:540614.08.2024
OCP-Tools-4.14-RHEL-8jenkinsFixedRHSA-2024:541114.08.2024
OCP-Tools-4.14-RHEL-8jenkins-2-pluginsFixedRHSA-2024:541114.08.2024
OCP-Tools-4.15-RHEL-8jenkinsFixedRHSA-2024:540514.08.2024
OCP-Tools-4.15-RHEL-8jenkins-2-pluginsFixedRHSA-2024:540514.08.2024

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Critical
Дефект:
CWE-22
https://bugzilla.redhat.com/show_bug.cgi?id=2303466jenkins: Arbitrary file read vulnerability through agent connections can lead to RCE

8.8 High

CVSS3

Связанные уязвимости

nvd логотип

CVE-2024-43044

CVSS3: 8.8
nvd
около 1 года назад

Jenkins 2.470 and earlier, LTS 2.452.3 and earlier allows agent processes to read arbitrary files from the Jenkins controller file system by using the `ClassLoaderProxy#fetchJar` method in the Remoting library.

debian логотип

CVE-2024-43044

CVSS3: 8.8
debian
около 1 года назад

Jenkins 2.470 and earlier, LTS 2.452.3 and earlier allows agent proces ...

github логотип

GHSA-h856-ffvv-xvr4

CVSS3: 9
github
около 1 года назад

Jenkins Remoting library arbitrary file read vulnerability

fstec логотип

BDU:2024-06145

CVSS3: 9
fstec
около 1 года назад

Уязвимость библиотеки Remoting сервера автоматизации Jenkins, позволяющая выполнить произвольный код путём

redos логотип

ROS-20240918-10

CVSS3: 6.3
redos
12 месяцев назад

Множественные уязвимости jenkins

8.8 High

CVSS3