Description:

Jenkins is an open source automation server written in Java. Jenkins helps to automate the non-human part of the software development process, with continuous integration and facilitating technical aspects of continuous delivery. Following vulnerabilities are reported in Jenkins:- Code execution through crafted URLs- Forced migration of user records- Workspace browser allowed accessing files outside the workspace- Potential denial of service through cron expression form validation Affected Versions: Jenkins weekly up to and including 2.153Jenkins LTS up to and including 2.138.3QID Detection Logic:(Unauthenticated)This QID checks for vulnerable version by sending a crafted GET request to Jenkins. This QID also detects the vulnerable version from login page or HTTP header.

Solution:

Customers are advised to upgrade to  Jenkins weekly version 2.154,Jenkins LTS version 2.138.4 or 2.150.1 or later to remediate these vulnerabilities.

Patch: Following are links for downloading patches to fix the vulnerabilities: Jenkins Security Advisory 2018-12-05

Current version:

Jenkins ver. 2.141