Jenkins Information Leakage Vulnerability
Aug 19, 2020 GMT+08:00
Jenkins has officially released a security notice disclosing that Jetty 9.4.27 with security vulnerability CVE-2019-17638 is bound to Jenkins 2.224 through 2.242 and LTS 2.222.1 through 2.235.4. This vulnerability may allow unauthenticated attackers to obtain HTTP response headers that may include sensitive data intended for another user.
If you are a Jenkins user, check your Jenkins versions and implement timely security hardening.
For more information about this vulnerability, visit the following website:
(Severity: low, moderate, important, and critical)
III. Affected Products
Jenkins weekly 2.224 up to and including 2.242
Jenkins LTS 2.222.1 up to and including 2.235.4
Jenkins weekly 2.243
Jenkins LTS 2.235.5
IV. Vulnerability Handling
This vulnerability has been fixed in the latest official releases. If your version falls into the affected range, upgrade it to a secure version.
Download link: https://www.jenkins.io/download/
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.