【严重】- Jenkins 无条件远程代码执行高危漏洞(暂无CVE编号)
■ 漏洞描述
涉及多个安全漏洞
https://jenkins.io/security/advisory/2019-02-19/
https://jenkins.io/security/advisory/2019-01-28/
https://jenkins.io/security/advisory/2019-01-08/
https://jenkins.io/security/advisory/2019-01-16/
■ 影响范围
涉及高危插件:
Declarative Plugin < 1.3.4.1
Groovy Plugin < 2.61.1
Script Security Plugin < 1.5.0
■ 漏洞修复
更新相关组件至安全版本,详情参考:
https://jenkins.io/security/advisory/2019-02-19/
https://jenkins.io/security/advisory/2019-01-28/
https://jenkins.io/security/advisory/2019-01-08/
https://jenkins.io/security/advisory/2019-01-16/
官方版本地址:https://jenkins.io/
■ 缓解措施
如果暂时无法完成升级,可以设置网络访问白名单或者接入WAF进行防护。
■ 漏洞详情
https://devco.re/blog/2019/02/19/hacking-Jenkins-part2-abusing-meta-programming-for-unauthenticated-RCE/
涉及多个安全漏洞
https://jenkins.io/security/advisory/2019-02-19/
https://jenkins.io/security/advisory/2019-01-28/
https://jenkins.io/security/advisory/2019-01-08/
https://jenkins.io/security/advisory/2019-01-16/
■ 影响范围
涉及高危插件:
Declarative Plugin < 1.3.4.1
Groovy Plugin < 2.61.1
Script Security Plugin < 1.5.0
■ 漏洞修复
更新相关组件至安全版本,详情参考:
https://jenkins.io/security/advisory/2019-02-19/
https://jenkins.io/security/advisory/2019-01-28/
https://jenkins.io/security/advisory/2019-01-08/
https://jenkins.io/security/advisory/2019-01-16/
官方版本地址:https://jenkins.io/
■ 缓解措施
如果暂时无法完成升级,可以设置网络访问白名单或者接入WAF进行防护。
■ 漏洞详情
https://devco.re/blog/2019/02/19/hacking-Jenkins-part2-abusing-meta-programming-for-unauthenticated-RCE/