Vulnerability Details CVE-2024-23898
Jenkins 2.217 through 2.441 (both inclusive), LTS 2.222.1 through 2.426.2 (both inclusive) does not perform origin validation of requests made through the CLI WebSocket endpoint, resulting in a cross-site WebSocket hijacking (CSWSH) vulnerability, allowing attackers to execute CLI commands on the Jenkins controller.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.39
EPSS Ranking 97.1%
CVSS Severity
CVSS v3 Score 8.8
References
- http://www.openwall.com/lists/oss-security/2024/01/24/6
- https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3315
- https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/
- http://www.openwall.com/lists/oss-security/2024/01/24/6
- https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3315
- https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/
Products affected by CVE-2024-23898
-
cpe:2.3:a:jenkins:jenkins:2.218
-
cpe:2.3:a:jenkins:jenkins:2.222.1
-
cpe:2.3:a:jenkins:jenkins:2.222.3
-
cpe:2.3:a:jenkins:jenkins:2.222.4
-
cpe:2.3:a:jenkins:jenkins:2.227
-
cpe:2.3:a:jenkins:jenkins:2.235
-
cpe:2.3:a:jenkins:jenkins:2.235.1
-
cpe:2.3:a:jenkins:jenkins:2.235.2
-
cpe:2.3:a:jenkins:jenkins:2.235.3
-
cpe:2.3:a:jenkins:jenkins:2.235.4
-
cpe:2.3:a:jenkins:jenkins:2.235.5
-
cpe:2.3:a:jenkins:jenkins:2.244
-
cpe:2.3:a:jenkins:jenkins:2.249
-
cpe:2.3:a:jenkins:jenkins:2.249.1
-
cpe:2.3:a:jenkins:jenkins:2.249.2
-
cpe:2.3:a:jenkins:jenkins:2.249.3
-
cpe:2.3:a:jenkins:jenkins:2.251
-
cpe:2.3:a:jenkins:jenkins:2.263.1
-
cpe:2.3:a:jenkins:jenkins:2.263.2
-
cpe:2.3:a:jenkins:jenkins:2.263.3
-
cpe:2.3:a:jenkins:jenkins:2.263.4
-
cpe:2.3:a:jenkins:jenkins:2.270
-
cpe:2.3:a:jenkins:jenkins:2.274
-
cpe:2.3:a:jenkins:jenkins:2.276
-
cpe:2.3:a:jenkins:jenkins:2.277
-
cpe:2.3:a:jenkins:jenkins:2.277.1
-
cpe:2.3:a:jenkins:jenkins:2.277.2
-
cpe:2.3:a:jenkins:jenkins:2.277.3
-
cpe:2.3:a:jenkins:jenkins:2.277.4
-
cpe:2.3:a:jenkins:jenkins:2.289.1
-
cpe:2.3:a:jenkins:jenkins:2.289.2
-
cpe:2.3:a:jenkins:jenkins:2.289.3
-
cpe:2.3:a:jenkins:jenkins:2.299
-
cpe:2.3:a:jenkins:jenkins:2.300
-
cpe:2.3:a:jenkins:jenkins:2.303
-
cpe:2.3:a:jenkins:jenkins:2.303.1
-
cpe:2.3:a:jenkins:jenkins:2.303.2
-
cpe:2.3:a:jenkins:jenkins:2.303.3
-
cpe:2.3:a:jenkins:jenkins:2.318
-
cpe:2.3:a:jenkins:jenkins:2.319
-
cpe:2.3:a:jenkins:jenkins:2.319.1
-
cpe:2.3:a:jenkins:jenkins:2.319.2
-
cpe:2.3:a:jenkins:jenkins:2.319.3
-
cpe:2.3:a:jenkins:jenkins:2.333
-
cpe:2.3:a:jenkins:jenkins:2.334
-
cpe:2.3:a:jenkins:jenkins:2.375.3
-
cpe:2.3:a:jenkins:jenkins:2.375.4
-
cpe:2.3:a:jenkins:jenkins:2.387.3
-
cpe:2.3:a:jenkins:jenkins:2.393
-
cpe:2.3:a:jenkins:jenkins:2.394
-
cpe:2.3:a:jenkins:jenkins:2.399
-
cpe:2.3:a:jenkins:jenkins:2.400
-
cpe:2.3:a:jenkins:jenkins:2.401.1
-
cpe:2.3:a:jenkins:jenkins:2.401.2
-
cpe:2.3:a:jenkins:jenkins:2.401.3
-
cpe:2.3:a:jenkins:jenkins:2.414.1
-
cpe:2.3:a:jenkins:jenkins:2.414.2
-
cpe:2.3:a:jenkins:jenkins:2.414.3
-
cpe:2.3:a:jenkins:jenkins:2.423
-
cpe:2.3:a:jenkins:jenkins:2.424
-
cpe:2.3:a:jenkins:jenkins:2.426.1
-
cpe:2.3:a:jenkins:jenkins:2.426.2
-
cpe:2.3:a:jenkins:jenkins:2.427
-
cpe:2.3:a:jenkins:jenkins:2.428
-
cpe:2.3:a:jenkins:jenkins:2.441