Aqua has discovered two severe security vulnerabilities, CVE-2023-27898 and CVE-2023-27905, in the Jenkins open source automation server. These vulnerabilities could lead to code execution on targeted systems and have been christened CorePlague by Aqua.
The shortcomings are the result of how Jenkins processes plugins available from the Update Center, thereby potentially enabling a threat actor to upload a plugin with a malicious payload and trigger a cross-site scripting (XSS) attack. "Once the victim opens the 'Available Plugin Manager' on their Jenkins server, the XSS is triggered, allowing attackers to run arbitrary code on the Jenkins Server utilizing the Script Console API," Aqua said.
Since it's also a case of stored XSS wherein the JavaScript code is injected into the server, the vulnerability can be activated without having to install the plugin or even visit the URL to the plugin in the first place. Aqua has disclosed these vulnerabilities to the Jenkins team and a patch is expected to be released soon. In the meantime, users are advised to update to Jenkins versions 2.319.2 or later.