Home Security New Safety Flaws May Permit Code Execution Assaults

New Safety Flaws May Permit Code Execution Assaults

by crpt os


Mar 08, 2023Ravie Lakshmanan

A pair of severe security vulnerabilities have been disclosed in the Jenkins open source automation server that could lead to code execution on targeted systems.

The flaws, tracked as CVE-2023-27898 and CVE-2023-27905, impact the Jenkins server and Update Center, and have been collectively christened CorePlague by cloud security firm Aqua. All versions of Jenkins versions prior to 2.319.2 are vulnerable and exploitable.

“Exploiting these vulnerabilities could allow an unauthenticated attacker to execute arbitrary code on the victim’s Jenkins server, potentially leading to a complete compromise of the Jenkins server,” the company said in a report shared with The Hacker News.

The shortcomings are the result of how Jenkins processes plugins available from the Update Center, thereby potentially enabling a threat actor to upload a plugin with a malicious payload and trigger a cross-site scripting (XSS) attack.

“Once the victim opens the ‘Available Plugin Manager’ on their Jenkins server, the XSS is triggered, allowing attackers to run arbitrary code on the Jenkins Server utilizing the Script Console API,” Aqua said.

Since it’s also a case of stored XSS wherein the JavaScript code is injected into the server, the vulnerability can be activated without having to install the plugin or even visit the URL to the plugin in the first place.

Troublingly, the flaws could also affect self-hosted Jenkins servers and be exploited even in scenarios where the server is not publicly accessible over the internet since the public Jenkins Update Center could be “injected by attackers.”

The attack, however, banks on the prerequisite that the rogue plugin is compatible with the Jenkins server and is surfaced on top of the main feed on the “Available Plugin Manager” page.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

This, Aqua said, can be rigged by “uploading a plugin that contains all plugin names and popular keywords embedded in the description,” or artificially boost the download counts of the plugin by submitting requests from fake instances.

Following responsible disclosure on January 24, 2023, patches have been released by Jenkins for Update Center and server. Users are recommended to update their Jenkins server to the latest available version to mitigate potential risks.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex