Jenkins Security Advisory 2024-11-27

Jenkins uses the library org.kohsuke.stapler:json-lib to process JSON. This library is the Jenkins project’s fork of net.sf.json-lib:json-lib, which has since been renamed to org.kordamp.json:json-lib-core.

Jenkins LTS 2.479.1 and earlier, 2.486 and earlier bundles org.kohsuke.stapler:json-lib 2.4-jenkins-7 or earlier. These releases are affected by CVE-2024-47855.

In Jenkins (without plugins) this allows attackers with Overall/Read permission to keep HTTP requests handling threads busy indefinitely, using system resources and preventing legitimate users from using Jenkins. Additionally, the Jenkins security team has identified multiple plugins that allow attackers lacking Overall/Read permission to do the same. These plugins include SonarQube Scanner and Bitbucket. Additionally, other features of Jenkins or plugins that process user-provided JSON may be affected, resulting in those features being blocked.

The fix for CVE-2024-47855 in org.kordamp.json:json-lib-core has been backported to org.kohsuke.stapler:json-lib and released in version 2.4-jenkins-8. Jenkins LTS 2.479.2, 2.487 bundles org.kohsuke.stapler:json-lib 2.4-jenkins-8.

Simple Queue Plugin 1.4.4 and earlier does not escape the view name.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Create permission.

Simple Queue Plugin 1.4.5 escapes the view name.

Filesystem List Parameter Plugin 0.0.14 and earlier does not restrict the path used for the File system objects list Parameter.

This allows attackers with Item/Configure permission to enumerate file names on the Jenkins controller file system.

Filesystem List Parameter Plugin 0.0.15 ensures that paths used by the File system objects list Parameter are restricted to an allow list, with the default base directory set to $JENKINS_HOME/userContent/. The allow list can be configured to include additional custom base directories.