Skip to main content

Public advisory of scammers impersonating CSA and the SPF

Stay vigilant. Read the public advisory

Cyber Security Agency of Singapore
  1. Home
  2. Alerts & Advisories
  3. Alerts
  4. Multiple Vulnerabilities in Jenkins Server and Update Centre
Alerts

Multiple Vulnerabilities in Jenkins Server and Update Centre

10 March 2023


The high-severity vulnerabilities are:

•             CVE-2023-27898: A stored cross-site scripting (XSS) vulnerability that could allow an attacker to provide plugins to the configured update sites and display an error message indicating its incompatibility with the current version of Jenkins in the plugin manager, potentially leading to arbitrary code execution.

•             CVE-2023-27899: A vulnerability that could allow attackers to access the controller file system with read and write privileges before installing it in Jenkins, potentially leading to arbitrary code execution.

The products affected by the vulnerabilities include:

  • For CVE-2023-27898:

    • Jenkins 2.270 through 2.393 (both inclusive)

    • Jenkins LTS 2.277.1 through 2.375.3 (both inclusive)

  •  For CVE-2023-27899:

    • Jenkins 2.393 and earlier

    • Jenkins LTS 2.375.3 and earlier

Users and administrators of the affected Jenkins products are advised to upgrade to the latest versions immediately.

More information is available here:

https://www.jenkins.io/security/advisory/2023-03-08/

https://thehackernews.com/2023/03/jenkins-security-alert-new-security.html

https://blog.aquasec.com/jenkins-server-vulnerabilities

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27898

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27899