CVE-2024-43044

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.470 and earlier, LTS versions 2.452.3 and earlier

Description A critical issue in Jenkins allows agent processes to read arbitrary files from the Jenkins controller file system by using the ClassLoaderProxy#fetchJar method in the Remoting library. This can lead to sensitive data exposure and potentially allow attackers to perform remote code execution (RCE) on Jenkins controllers. The vulnerability is related to the Remoting library's ability to load classes and classloader resources from the controller, which can be exploited by attackers with Agent/Connect permission. It is estimated that around 524,309 devices may be affected.

Recommendations For Jenkins versions 2.470 and earlier, and LTS versions 2.452.3 and earlier, update to Jenkins 2.471, LTS 2.452.4, or later to resolve the issue. As a temporary workaround, consider restricting access to the ClassLoaderProxy#fetchJar method or disabling the Remoting library until a patch is available. Additionally, restrict access to the vulnerable Channel#preloadJar API endpoint to minimize the risk of exploitation.