No CVE has been announced yet. An issue in the Jenkins Cluster Statistics Plugin before version 0.4.6 allows attackers to delete recorded Jenkins Cluster Statistics via an invalid permission check. No other details are currently available. It is recommended to update the plugin as soon as possible.

Jenkins team published an announcement with more information and recommended actions. If you are running an older version of the plugin, it is recommended to upgrade it as soon as possible.
On January 15, 2018, the Jenkins team released version 1.597.1 of the Jenkins Cluster Statistics Plugin. This plugin allows users of their software to view the numbers of their Jenkins slaves, their memory usage, and the time it takes their slaves to start up. This plugin only works when the Jenkins master and one or more slaves are connected to a database. An attacker can exploit this plugin and use it to delete data from a database, effectively taking down the entire system. Therefore, users of this plugin should make sure their database is not accessible by an attacker. The latest version of this plugin is 1.597.1. Bug fix: In the past, this plugin allowed attackers to delete data from a database.

Setup

1. Update Jenkins and the plugin to 1.597.1
2. Set permissions on your database so it is not accessible to an attacker
3. Ensure that the only user with access to your database is you
4. Restart Jenkins to make sure the change has taken effect
5. Check your Jenkins logs for errors

Mitigation Strategies

If you're running an older version of this plugin, upgrade it as soon as possible. If you are vulnerable to this issue, apply these mitigation strategies:
1) Make sure your database is not accessible by an attacker.
2) Make sure that the plugin only has one connection at a time.
3) Make sure that the plugins user interface and any job definitions are not publicly available.

Dependency: Jenkins Cluster Statistics Plugin

The Jenkins Cluster Statistics Plugin is a plugin that only works when the Jenkins master and one or more slaves are connected to a database.
Jenkins team published an announcement with more information and recommended actions. If you are running an older version of the plugin, it is recommended to upgrade it as soon as possible.

Timeline

Published on: 11/15/2022 20:15:00 UTC
Last modified on: 11/18/2022 04:56:00 UTC

References