Jenkins Vulnerability Advisory: DoS, Stored XSS, and Path Traversal in Core and Plugins

From this webpage screenshot, the following key information about the vulnerabilities can be obtained: 1. Vulnerability Types: - Denial of service vulnerability in bundled json-lib (CVE-2024-47855) - Stored XSS vulnerability in Simple Queue Plugin (CVE-2024-54003) - Path traversal vulnerability in Filesystem List Parameter Plugin (CVE-2024-54004) 2. Affected Components: - Jenkins (core) - Filesystem List Parameter Plugin - Simple Queue Plugin 3. Vulnerability Descriptions: - Denial of service vulnerability in bundled json-lib: Jenkins uses the library to handle JSON. This library is a fork of the original , which has been renamed to . Jenkins LTS 2.479.1 and earlier, and Jenkins weekly 2.486 and earlier, bundle version 2.4-jenkins-7 or earlier, which are affected by CVE-2024-47855. - Stored XSS vulnerability in Simple Queue Plugin: Simple Queue Plugin versions 1.4.4 and earlier do not properly escape view names. - Path traversal vulnerability in Filesystem List Parameter Plugin: Filesystem List Parameter Plugin versions 0.0.14 and earlier do not restrict paths used for filesystem object list parameters. 4. Severity: - Denial of service vulnerability in bundled json-lib: High - Stored XSS vulnerability in Simple Queue Plugin: High - Path traversal vulnerability in Filesystem List Parameter Plugin: Medium 5. Affected Versions: - Jenkins weekly: 2.486 and earlier - Jenkins LTS: 2.479.1 and earlier - Filesystem List Parameter Plugin: 0.0.14 and earlier - Simple Queue Plugin: 1.4.4 and earlier 6. Remediation: - Jenkins weekly: Upgrade to 2.487 - Jenkins LTS: Upgrade to 2.479.2 - Filesystem List Parameter Plugin: Upgrade to 0.0.15 - Simple Queue Plugin: Upgrade to 1.4.5 7. Credits: - Daniel Beck, CloudBees, Inc.: SECURITY-3367 - Joonun Jang: SECURITY-3463 - Swapna Nanda, CloudBees, Inc.: SECURITY-3467 This information helps users understand the nature of the vulnerabilities, the affected components and versions, and how to remediate them.

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Vulnerability Advisory: DoS, Stored XSS, and Path Traversal in Core and Plugins