August 20, 2024 at 01:33AM
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw in Jenkins to its Known Exploited Vulnerabilities catalog. The CVE-2024-23897 vulnerability, with a CVSS score of 9.8, allows code execution and has been actively exploited in ransomware attacks. Federal agencies have until September 9, 2024, to apply fixes and secure their networks.
From the meeting notes, it is clear that a critical security flaw impacting Jenkins has been identified by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The vulnerability, tracked as CVE-2024-23897 with a CVSS score of 9.8, is a path traversal flaw that could lead to code execution. It was first disclosed by Sonar security researchers in January 2024 and was addressed in Jenkins versions 2.442 and LTS 2.426.3. There have been real-world attacks exploiting this vulnerability and it has been actively used by threat actors and ransomware gangs. To mitigate the risks, Federal Civilian Executive Branch (FCEB) agencies have a deadline of September 9, 2024, to apply the fixes and secure their networks.