I. Overview

Jenkins has officially released a security notice disclosing that Jetty 9.4.27 with security vulnerability CVE-2019-17638 is bound to Jenkins 2.224 through 2.242 and LTS 2.222.1 through 2.235.4. This vulnerability may allow unauthenticated attackers to obtain HTTP response headers that may include sensitive data intended for another user.

If you are a Jenkins user, check your Jenkins versions and implement timely security hardening.

For more information about this vulnerability, visit the following website:

https://www.jenkins.io/security/advisory/2020-08-17/

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Jenkins weekly 2.224 up to and including 2.242

Jenkins LTS 2.222.1 up to and including 2.235.4

Secure versions:

Jenkins weekly 2.243

Jenkins LTS 2.235.5

IV. Vulnerability Handling

This vulnerability has been fixed in the latest official releases. If your version falls into the affected range, upgrade it to a secure version.

Download link: https://www.jenkins.io/download/

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.