-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
dfd96d4
commit 6ea537a
Showing
3 changed files
with
41 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
--- | ||
layout: advisory | ||
title: Jenkins Security Advisory 2024-03-20 | ||
kind: core | ||
core: | ||
lts: | ||
previous: 2.440.1 | ||
fixed: 2.440.2 | ||
weekly: | ||
previous: '2.443' | ||
fixed: '2.444' | ||
issues: | ||
- id: SECURITY-3379 | ||
title: HTTP/2 denial of service vulnerability in bundled Jetty | ||
cve: CVE-2024-22201 | ||
cvss: | ||
severity: High | ||
vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | ||
description: |- | ||
Jenkins bundles Winstone-Jetty, a wrapper around Jetty, to act as HTTP and servlet server when started using `java -jar jenkins.war`. | ||
This is how Jenkins is run when using any of the installers or packages, but not when run using servlet containers such as Tomcat. | ||
|
||
Jenkins 2.443 and earlier, LTS 2.440.1 and earlier bundles versions of Jetty affected by the security vulnerability https://www.cve.org/CVERecord?id=CVE-2024-22201[CVE-2024-22201]. | ||
This vulnerability allows unauthenticated attackers to cause a denial of service. | ||
|
||
NOTE: This only affects instances that enable HTTP/2, typically using the `--http2Port` argument to `java -jar jenkins.war` or corresponding options in service configuration files. | ||
It is disabled by default in all native installers and the Docker images provided by the Jenkins project. | ||
|
||
Jenkins 2.444, LTS 2.440.2 updates the bundled Jetty to version 10.0.20, which is unaffected by these issues. | ||
|
||
Administrators unable to update to these releases of Jenkins (or newer) are advised to disable HTTP/2. |