Jenkins is an open source automation server written in Java. Jenkins helps to automate the non-human part of the software development process, with continuous integration and facilitating technical aspects of continuous delivery. Following vulnerabilities are reported in Jenkins:- Code execution through crafted URLs- Forced migration of user records- Workspace browser allowed accessing files outside the workspace- Potential denial of service through cron expression form validation Affected Versions: Jenkins weekly up to and including 2.153Jenkins LTS up to and including 2.138.3QID Detection Logic:(Unauthenticated)This QID checks for vulnerable version by sending a crafted GET request to Jenkins. This QID also detects the vulnerable version from login page or HTTP header.
Customers are advised to upgrade to Jenkins weekly version 2.154,Jenkins LTS version 2.138.4 or 2.150.1 or later to remediate these vulnerabilities.
Patch: Following are links for downloading patches to fix the vulnerabilities: Jenkins Security Advisory 2018-12-05
Jenkins ver. 2.141