WARNING: JENKINS PATCHED CRITICAL VULNERABILITIES DUBBED ‘COREPLAGUE’.
CVE-2023-27898 & CVE-2023-27905
Sources
https://www.jenkins.io/security/advisory/2023-03-08/
Risks
As a result of how Jenkins processes plugins available via the Update Center, a threat actor might possibly upload a plugin containing a malicious payload and launch a cross-site scripting (XSS) attack.
The vulnerabilities affect the Jenkins server and Update Center. All versions of Jenkins before 2.319.2 are exploitable and susceptible to exploitation. Cloud security firm Aqua has dubbed the set of vulnerabilities CorePlague.
Description
Two major security vulnerabilities, identified as CVE-2023-27898 and CVE-2023-27905, have been discovered in the Jenkins open-source automation server, which could lead to remote code execution on affected systems.
Exploiting these vulnerabilities might allow an unauthenticated attacker to execute arbitrary code on the victim's Jenkins server, potentially resulting in a complete compromise of the Jenkins server.
The Centre for Cyber security Belgium recommends system administrators to patch vulnerable systems as soon as possible and to analyse system and network logs for any suspicious activity. Organisations should investigate if they suspect an intrusion attempt.
If your organization has already identified an intrusion or incident, please report it via: https://cert.be/en/report-incident.
Recommended Actions
The Centre for Cyber Security Belgium strongly recommends system administrators to take the following actions:
Patches have been released by Jenkins for Update Center and server. Update vulnerable servers as soon as possible. Consult the security advisory of Jenkins for more information: https://www.jenkins.io/security/advisory/2023-03-08/