CVE-2024-23898

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.217 through 2.441 Jenkins LTS versions 2.222.1 through 2.426.2

Description The issue is related to the built-in command line interface (CLI) of the Jenkins server, which has a weakness in its authentication procedure. This weakness can be exploited by a remote attacker to perform a cross-site WebSocket hijacking (CSWSH) attack, allowing the execution of CLI commands on the Jenkins controller. The vulnerability is due to the lack of origin validation of requests made through the CLI WebSocket endpoint.

Recommendations For Jenkins versions 2.217 through 2.441, update to a version that includes the fix for this issue. For Jenkins LTS versions 2.222.1 through 2.426.2, update to a version that includes the fix for this issue. As a temporary workaround, consider disabling the CLI WebSocket endpoint until a patch is available. Restrict access to the Jenkins controller to minimize the risk of exploitation.