• Home
  • |
  • Blog
  • |
  • How to Fix CorePlague Vulnerabilities in Jenkins Server And Update Center?
How to Fix CorePlague Vulnerabilities in Jenkins Server And Update Center

Cloud security firm Aqua has uncovered two critical security vulnerabilities in Jenkins, an open-source automation server that could potentially allow an attacker to execute arbitrary code on targeted systems and sometimes a complete compromise too. These flaws, known as CVE-2023-27898 and CVE-2023-27905, collectively referred to as CorePlague, affect the Jenkins server and Update Center and can impact all Jenkins versions prior to 2.319.2. Considering the critical nature of these vulnerabilities, we urge all users of Jenkin to fix CorePlague vulnerabilities in Jenkins Server And Update Center.

We created this post in which we covered the introduction of Jenkins, where the flaws stemmed from, how can an attacker can compromise the Jenkins Server and Update Center, versions vulnerable to these critical flaws, and finally, how to fix CorePlague vulnerabilities in Jenkins Server And Update Center. Let’s begin with the introduction of Jenkins.

A Short Introduction About Jenkins

Jenkins is an open-source automation server widely used for continuous integration and continuous delivery. It is written in Java and helps developers quickly build, test, and deploy applications. Jenkins can be installed on-premise or hosted in the cloud, making it a great choice for both small and large development teams. With its user-friendly interface, Jenkins allows users to easily set up configurations and automate the process of building, testing and deploying software. It also provides a host of other features, such as integration with version control systems, continuous delivery pipelines, and security settings. Jenkins is an essential tool for any DevOps team striving for efficient workflows and improved application performance.

To better understand CorePlague Vulnerabilities in Jenkins Server and Update Center, it is good to know some basic Jenkins components like Artifactory Binary Repository, Jenkins Update Center, and Jenkins Pluginsthat.

Artifactory Binary Repository: An artifact registry, also known as a binary repository manager, is used to store and manage software artifacts such as libraries, packages, and plugins. The Jenkins project has its own Artifactory binary repository, which distributes core, library, and plugin releases. This allows developers to easily access and share artifacts and ensures the consistency and integrity of the software being used.

Jenkins Update Center: The Jenkins Update Center is a key component of the Jenkins automation server that provides access to a wide range of plugins and updates for the Jenkins platform. It allows administrators to discover, download, install, and upload their plugins that extend the functionality of their Jenkins server. This is also known as Jenkins community update sites, where developers and users can contribute their own plugins and enhancements.

Jenkins Plugins: Plugins are software components that extend the functionality of the Jenkins Server, enabling users to enhance and customize their experience and the automation process. These plugins offer features such as source code management, build triggers, notification mechanisms, and integrations with external tools and systems. They can be installed, updated, and managed via the Jenkins Update Center. With over 1,500 plugins available, Jenkins offers a wide range of functionalities and integrations that can be tailored to specific development needs.

Now itCVE-2023-27898’s time to see the summary of the CorePlague Vulnerabilities.

Summary of CorePlague Vulnerabilities in Jenkins Server And Update Center

CorePlague vulnerabilities are composed of two critical vulnerabilities identified as CVE-2023-27898 and CVE-2023-27905. When these vulnerabilities are chained together, they allow an attacker to execute arbitrary code on targeted systems. Sometimes, these vulnerabilities allow a complete compromise of the Jenkins server, giving an attacker full control. Let’s see the summary of both vulnerabilities in the next section.

Summary of CVE-2023-27898:

Stored XSS in Jenkins Plugin System

CVE-2023-27898 is a high-severity Storred Cross-Site Scripting(XSS) vulnerability in Jenkins 2.270 through 2.393 and LTS 2.277.1 through 2.375.3, which could allow an attacker to execute arbitrary code on the affected system. Aqua published this vulnerability on March 8, 2023, marking its severity as High with a CVSS score of 8.8 out of 10 on the scale.

The vulnerability resides when the error message indicates plugin incompatibility with the current version of Jenkins, the plugin version is not properly escaped, allowing for a stored XSS vulnerability. Attackers can exploit this vulnerability by providing plugins to the configured update sites and having this message displayed on Jenkins instances.

This vulnerability is particularly concerning as it allows attackers to execute malicious code in the context of legitimate Jenkins users, potentially leading to data theft or system compromise. Jenkins administrators are advised to fix CorePlague vulnerabilities in Jenkins Server And Update Center.

Associated CVE IDCVE-2023-27898
DescriptionA high-severity Storred Cross-Site Scripting(XSS) vulnerability in Jenkins server due to improper input sanitization.
Associated ZDI ID
CVSS Score8.8 High
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Impact Score
Exploitability Score
Attack Vector (AV)Network
Attack Complexity (AC)Low
Privilege Required (PR)None
User Interaction (UI)Required
ScopeUnchanged
Confidentiality (C)High
Integrity (I)High
availability (a)High

Summary of CVE-2023-27905:

Stored XSS in Jenkins Update-Center2

CVE-2023-27905 is a stored Cross-Site Scripting (XSS) vulnerability in Jenkins update-center2 3.13 and 3.14, which could be exploited by attackers who can provide a plugin for hosting. Aqua published this vulnerability on March 8, 2023, marking its severity as Medium with a CVSS score of 6.1 out of 10 on the scale.

The vulnerability resides when the required Jenkins core version on the plugin downloads index pages, and the input is not sanitized, creating a stored XSS vulnerability. Attackers can exploit this vulnerability by providing a plugin for hosting.

This vulnerability also allows attackers to execute malicious code in the context of legitimate Jenkins users. Jenkins administrators are advised to fix CorePlague vulnerabilities in Jenkins Server And Update Center.

Associated CVE IDCVE-2023-27905
DescriptionA medium-severity Storred Cross-Site Scripting(XSS) vulnerability in Jenkins Update Center2 due to improper input sanitization.
Associated ZDI ID
CVSS Score6.1 Medium
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Impact Score
Exploitability Score
Attack Vector (AV)Network
Attack Complexity (AC)Low
Privilege Required (PR)None
User Interaction (UI)Required
ScopeChanged
Confidentiality (C)Low
Integrity (I)Low
availability (a)None

What Aqua Shared About CorePlague Vulnerabilities?

Aqua Team revealed in their study that Jenkins is vulnerable to stored cross-site scripting (XSS) attacks, which can lead to remote code execution (RCE). This vulnerability can be exploited by uploading a malicious core version plugin to the Jenkins Update Center, which can then trigger the XSS when the Available Plugin Manager is opened.

The vulnerabilities are triggered by a stored XSS exploit, where a malicious core version of a Jenkins plugin is uploaded to the Jenkins Update Center by attackers. When a victim opens the Available Plugin Manager on their Jenkins Server, the XSS is triggered, allowing attackers to run arbitrary code on the Jenkins Server using the Script Console API.

This vulnerability is particularly dangerous because it does not require any additional action from the victim, and the exploitation does not require the manipulated plugin to be installed. Attackers can easily compromise Jenkins servers that are not directly reachable because the public Jenkins Update Center could be injected by attackers.

For complete technical details, we recommend reading the blog published by Aqua.

Jenkins Server And Update Center Prone to CorePlague Vulnerabilities:

According to the advisory, Jenkins versions 2.270 through 2.393, as well as LTS versions 2.277.1 through 2.375.3, are affected by the CVE-2023-27898 vulnerability. And, The Jenkins update-center2 versions 3.13 and 3.14 are affected by the CVE-2023-27905 vulnerability.

How to Fix CorePlague Vulnerabilities in Jenkins Server And Update Center?

As of now, you learned about Jenkins, CorePlague Vulnerabilities in Jenkins Server And Update Center, and versions affected by these flaws. Now we will see how to fix CorePlague Vulnerabilities in Jenkins Server And Update Center in this final section.

Generally, to protect your Jenkins server from new vulnerabilities, it is important to ensure that you have installed the latest security patches released by the Jenkins team. The Jenkins team has acknowledged the vulnerabilities and released patches for the Jenkins server as well as for the Jenkins Update Centeron February 15.

Even with the patch, your Jenkins server might still be vulnerable, but it’s probably not exploitable. Therefore, you don’t need to update it right away. However, if you use self-hosted or customized Update Centers to obtain your plugins, your Jenkins server is at risk, and you should update it immediately to ensure its security.

How to Protect Your Jenkins Server And Update Center from CorePlague Vulnerabilities?

To protect your Jenkins server from these vulnerabilities, it is important to ensure that you have installed the latest security patches released by the Jenkins team. The Jenkins team has acknowledged the vulnerabilities and has released a patch for the Jenkins server as well as for the Jenkins Update Center.

Time needed: 30 minutes.

How to Install or Upgrade Jenkins?

This step-by-step guide will show you how to install or upgrade Jenkins on your machine. We are going to show you how you can install Jenkins on Ubuntu in this demo. Jenkins is distributed in various formats, including WAR files, native packages, installers, and Docker images. You can visit the links below if you want to install or upgrade on any other platform.

1. Docker
2. Kubernetes
3. Linux
4. macOS
5. Windows
6. Other Systems
7. WAR file
8. Other Servlet Containers
9. Offline Installations
10. Initial Settings

  1. Check the Hardware and Software Requirements

    Before you begin, it is essential to ensure that your machine meets the hardware and software requirements for Jenkins. You can find this information in the User Handbook. Take a moment to review this section before proceeding with the installation.

    Minimum hardware requirements:
    256 MB of RAM
    1 GB of drive space (although 10 GB is a recommended minimum if running Jenkins as a Docker container)

    Recommended hardware configuration for a small team:
    4 GB+ of RAM
    50 GB+ of drive space

    Comprehensive hardware recommendations:
    Hardware: see the Hardware Recommendations page

    Software requirements:
    Java: see the Java Requirements page
    Web browser: see the Web Browser Compatibility page
    For Windows operating system: Windows Support Policy
    For Linux operating system: Linux Support Policy
    For servlet containers: Servlet Container Support Policy

  2. Downloading and Installing Jenkins

    LTS (Long-Term Support) release is chosen every 12 weeks from the stream of regular releases as the stable release for that time period. It can be installed from the debian-stable apt repository.

    curl -fsSL https://pkg.jenkins.io/debian-stable/jenkins.io.key | sudo tee \ /usr/share/keyrings/jenkins-keyring.asc > /dev/null

    echo deb [signed-by=/usr/share/keyrings/jenkins-keyring.asc] \ https://pkg.jenkins.io/debian-stable binary/ | sudo tee \ /etc/apt/sources.list.d/jenkins.list > /dev/null

    sudo apt-get update

    sudo apt-get install jenkins


    A new release is produced weekly to deliver bug fixes and features to users and plugin developers. It can be installed from the debian apt repository.

    curl -fsSL https://pkg.jenkins.io/debian/jenkins.io.key | sudo tee \ /usr/share/keyrings/jenkins-keyring.asc > /dev/null

    echo deb [signed-by=/usr/share/keyrings/jenkins-keyring.asc] \ https://pkg.jenkins.io/debian binary/ | sudo tee \ /etc/apt/sources.list.d/jenkins.list > /dev/null

    sudo apt-get update

    sudo apt-get install jenkins

Here are some measures you can take to ensure your Jenkins server is protected from CorePlague vulnerabilities:

  1. Update Jenkins Server and Jenkins Update Center:
    Make sure that your Jenkins server is running the latest version of the software and that you have installed the latest security patch released by the Jenkins team. You should also ensure that you have updated the Jenkins Update Center to the latest version.
  1. Disable Unused Plugins:
    You should disable any plugins that you are not using to reduce the attack surface of your Jenkins server. This will reduce the likelihood of attackers exploiting vulnerabilities in unused plugins.
  1. Install Security Plugins:
    Consider installing security plugins such as the Jenkins Active Directory plugin or the Role-Based Access Control plugin to enhance the security of your Jenkins server.
  1. Monitor Jenkins Server:
    Regularly monitor your Jenkins server for any unusual activity or suspicious behavior. You can use plugins such as the Jenkins Log Parser plugin to monitor the system log for any unusual activity.

We hope this post would help you know how to fix CorePlague vulnerabilities in Jenkins Server And Update Center. Please share this post and help secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this. 

About the author

Arun KL

Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.