Critical Jenkins Server Vulnerability Could Leak Sensitive Information
CVE-2019-17638 - CVSS: 9.4
An unauthenticated attacker is able to obtain HTTP response headers that may include sensitive data intended for another user.
The vulnerability resides in the Winstone-Jetty wrapper that acts as an HTTP & Servlet server. The flaw resides in a buffer overflow that is not properly sanitized.
When the software throws an exception to throw an HTTP 431 error, it releases the HTTP response headers to the buffer pool twice.
These two threads can acquire the same buffer from the pool at the same time enabling one request to access a response written by the other thread.
This response can contain session identifiers, authentication credentials, and other sensitive information.
CERT.be recommends system administrators to apply the latest patches released by the vendor as soon as possible.
When patching, external facing systems should be prioritised.
Patched versions of the affected components are available at the Jenkins download page
Jenkins weekly releases should be updated to version 2.243
Jenkins LTS releases should be updated to version 2.235.5