This issue is rated as high severity due to the risk of being exploited via Jenkins’s hosted and public build logs. Stored XSS vulnerabilities in Jenkins’s web interface can be exploited by attackers to gain remote access or by employees who fail to change their XSS-infected credentials. End users are advised to upgrade Jenkins to version 838.va_3a_087b_4055b or later.
Jenkins is a popular open source automation server that allows developers to continuously build, test, and deploy their projects. Its popularity has become so widespread that it is now hosted by major companies such as Microsoft, IBM, and Red Hat.
The vulnerability was found in Jenkins’s public build logs. Anyone can view these public build logs on Jenkins’s website without authentication. This vulnerability probably went unnoticed for some time because the victim would have had to be logged in on the site for this issue to be exploitable.
The vulnerability could also have been exploited by employees who failed to change their XSS-infected credentials. The threat actors could have then gained access to Jenkins’s system and executed actions remotely without any authentication or authorization needed.
CVE-2022-43409 is the vulnerable component in Jenkins. This vulnerability has been assigned a high severity rating because it allows attackers to gain remote access or by employees who cannot change their XSS-infected credentials.
Because this issue is rated high severity, follow the instructions below:
- See the Upgrade Instructions section in the reference for a complete list of steps to take.
- Follow these instructions to update Jenkins:
o Navigate to the Jenkins download page at https://jenkins.io/downloads/
o Download and execute the auto-update script from your terminal application.
o To install from source, use one of the following commands:
sudo apt-get update && sudo apt-get -y upgrade
cd /tmp && wget https://jenkins.io/downloads/maven.repo -O jenkins.repo
sudo mv jenkins.repo /etc/apt/sources.list.d/jenkins.list
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv E16AD0E4
sudo apt update && sudo apt install jenkins
mv jenkins_home /opt/jenkins
Published on: 10/19/2022 16:15:00 UTC
Last modified on: 10/21/2022 17:20:00 UTC