CVE-2024-23898: Cross-site WebSocket hijacking vulnerability in the Jenkins CLI

January 24, 2024 (updated January 26, 2024)

Jenkins 2.217 through 2.441 (both inclusive), LTS 2.222.1 through 2.426.2 (both inclusive) does not perform origin validation of requests made through the CLI WebSocket endpoint, resulting in a cross-site WebSocket hijacking (CSWSH) vulnerability, allowing attackers to execute CLI commands on the Jenkins controller.

References

www.openwall.com/lists/oss-security/2024/01/24/6
github.com/advisories/GHSA-53ph-2r2x-vqw8
nvd.nist.gov/vuln/detail/CVE-2024-23898
www.jenkins.io/security/advisory/2024-01-24/

Code Behaviors & Features

Detect and mitigate CVE-2024-23898 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →