Jenkins Security Advisory: DoS, XSS, Path Traversal in Core and Plugins (CVE-2024-47855, CVE-2024-54003, CVE-2024-54004)

From this webpage screenshot, the following key information about the vulnerabilities can be obtained: 1. Vulnerability Types: - Denial of service vulnerability in bundled json-lib (CVE-2024-47855) - Stored XSS vulnerability in Simple Queue Plugin (CVE-2024-54003) - Path traversal vulnerability in Filesystem List Parameter Plugin (CVE-2024-54004) 2. Affected Components: - Jenkins (core) - Filesystem List Parameter Plugin - Simple Queue Plugin 3. Vulnerability Descriptions: - Denial of service vulnerability in bundled json-lib: Jenkins uses the org.kohsuke.stapler:json-lib library to handle JSON. This library is a fork of net.sf.json-lib:json-lib, which has been renamed to org.kordamp.json-lib-core. Jenkins LTS 2.479.1 and earlier, and Jenkins weekly 2.486 and earlier, bundle org.kohsuke.stapler:json-lib 2.4-jenkins-7 or earlier versions, which are affected by CVE-2024-47855. - Stored XSS vulnerability in Simple Queue Plugin: Simple Queue Plugin versions 1.4.4 and earlier do not escape view names. - Path traversal vulnerability in Filesystem List Parameter Plugin: Filesystem List Parameter Plugin versions 0.0.14 and earlier do not restrict paths used for filesystem object list parameters. 4. Severity: - Denial of service vulnerability: High - Stored XSS vulnerability: High - Path traversal vulnerability: Medium 5. Affected Versions: - Jenkins weekly: up to and including 2.486 - Jenkins LTS: up to and including 2.479.1 - Filesystem List Parameter Plugin: up to and including 0.0.14 - Simple Queue Plugin: up to and including 1.4.4 6. Remediation: - Jenkins weekly: Upgrade to version 2.487 - Jenkins LTS: Upgrade to version 2.479.2 - Filesystem List Parameter Plugin: Upgrade to version 0.0.15 - Simple Queue Plugin: Upgrade to version 1.4.5 7. Acknowledgments: - Daniel Beck, CloudBees, Inc. for SECURITY-3367 - Joonun Jang for SECURITY-3463 - Swapna Nanda, CloudBees, Inc. for SECURITY-3467 This information helps users understand the nature of the vulnerabilities, the affected components and versions, and how to remediate them.

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Security Advisory: DoS, XSS, Path Traversal in Core and Plugins (CVE-2024-47855, CVE-2024-54003, CVE-2024-54004)