This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.JENKINS_2_424.NASLJenkins LTS < 2.414.2 / Jenkins weekly < 2.424 Multiple Vulnerabilities
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
46.6%
According to its its self-reported version number, the version of Jenkins running on the remote web server is Jenkins LTS prior to 2.414.2 or Jenkins weekly prior to 2.424. It is, therefore, affected by multiple vulnerabilities:
-
Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variables (e.g., password parameter values) from the search in the build history widget, allowing attackers with Item/Read permission to obtain values of sensitive variables used in builds by iteratively testing different characters until the correct sequence is discovered. (CVE-2023-43494)
-
In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using the Stapler web framework creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controller file system to read and write the files before they are used. (CVE-2023-43497)
-
In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using MultipartFormDataParser creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controller file system to read and write the files before they are used. (CVE-2023-43498)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(181682);
script_version("1.7");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/04");
script_cve_id(
"CVE-2023-43494",
"CVE-2023-43495",
"CVE-2023-43496",
"CVE-2023-43497",
"CVE-2023-43498"
);
script_xref(name:"JENKINS", value:"2023-09-20");
script_xref(name:"IAVA", value:"2023-A-0502-S");
script_name(english:"Jenkins LTS < 2.414.2 / Jenkins weekly < 2.424 Multiple Vulnerabilities");
script_set_attribute(attribute:"synopsis", value:
"An application running on a remote web server host is affected by multiple vulnerabilities");
script_set_attribute(attribute:"description", value:
"According to its its self-reported version number, the version of Jenkins running on the remote web server is Jenkins
LTS prior to 2.414.2 or Jenkins weekly prior to 2.424. It is, therefore, affected by multiple vulnerabilities:
- Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude
sensitive build variables (e.g., password parameter values) from the search in the build history widget,
allowing attackers with Item/Read permission to obtain values of sensitive variables used in builds by
iteratively testing different characters until the correct sequence is discovered. (CVE-2023-43494)
- In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using the Stapler web
framework creates temporary files in the default system temporary directory with the default permissions
for newly created files, potentially allowing attackers with access to the Jenkins controller file system
to read and write the files before they are used. (CVE-2023-43497)
- In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using
MultipartFormDataParser creates temporary files in the default system temporary directory with the default
permissions for newly created files, potentially allowing attackers with access to the Jenkins controller
file system to read and write the files before they are used. (CVE-2023-43498)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://jenkins.io/security/advisory/2023-09-20");
script_set_attribute(attribute:"solution", value:
"Upgrade Jenkins weekly to version 2.424 or later, or Jenkins LTS to version 2.414.2 or later.");
script_set_attribute(attribute:"agent", value:"all");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-43496");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2023/09/20");
script_set_attribute(attribute:"patch_publication_date", value:"2023/09/20");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/09/20");
script_set_attribute(attribute:"plugin_type", value:"combined");
script_set_attribute(attribute:"cpe", value:"cpe:/a:cloudbees:jenkins");
script_set_attribute(attribute:"cpe", value:"cpe:/a:jenkins:jenkins");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_set_attribute(attribute:"stig_severity", value:"I");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("jenkins_detect.nasl", "jenkins_win_installed.nbin", "jenkins_nix_installed.nbin", "macosx_jenkins_installed.nbin");
script_require_keys("installed_sw/Jenkins");
exit(0);
}
include('vcf_extras.inc');
var constraints = [
{ 'max_version' : '2.423', 'fixed_version' : '2.424', 'edition' : 'Open Source' },
{ 'max_version' : '2.414.1', 'fixed_version' : '2.414.2', 'edition' : 'Open Source LTS' }
];
var app_info = vcf::combined_get_app_info(app:'Jenkins');
vcf::jenkins::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43494
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43495
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43496
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43497
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43498
jenkins.io/security/advisory/2023-09-20
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
46.6%