CVE-2019-17638 | Jenkins Jetty×é¼þ°²È«·ì϶¹«¸æ

°ä²¼¹¦·ò 2020-08-19

0x00 ·ì϶¸ÅÊö



CVE   ID

CVE-2019-17638

ʱ    ¼ä

2020-08-19

Àà   ÐÍ


µÈ    ¼¶

ÑϳÁ

Ô¶³ÌÀûÓÃ

ÊÇ

Ó°ÏìÁìÓò

Jenkins 2.224-2.242

Jenkins LTS 2.222.1-2.235.4



0x01 ·ì϶ÏêÇé


GA»Æ½ð¼×¡¤(ÖйúÇø)¹Ù·½ÍøÕ¾



½üÈÕJenkins¹Ù·½°ä²¼¹«¸æ£¬½¨¸´ÁËÒ»¸öJenkins Jetty×é¼þÖеݲȫ·ì϶£¨CVE-2019-17638£©¡£¸Ã·ì϶ԴÓÚJenkins 2.224ÖÁ2.242°æ±¾ºÍLTS 2.222.1ÖÁ2.235.4°æ±¾ÖÐ×Ô´øµÄJetty 9.4.27´æÔÚ°²È«·ì϶£¨CVE-2019-17638£©£¬µ¼ÖÂδ¾­Éí·ÝÑéÖ¤µÄ¹¥»÷Õß¿É»ñÈ¡HTTPÏìÓ¦±êÍ·£¬´Ó¶ø½Ó¼ûµ½ÆäËûÓû§µÄÃô¸ÐÐÅÏ¢¡£

JenkinsÊÇ×îÊÜÓ­½ÓµÄ¿ªÔ´×Ô¶¯»¯·þÎñÆ÷Ö®Ò»£¬ÓÉCloudBeesºÍJenkinsÊØ»¤¡£×Ô¶¯»¯·þÎñÆ÷Ö§³Ö¿ª·¢ÈËÔ±¹¹½¨£¬²âÊԺͲ¿ÊðÆäÀûÓ÷¨Ê½£¬ËüÔÚÈ«ÇòÓµº±¼ûÊ®Íò¸ö»î¶¯×°Öã¬Õ¼Óг¬¹ý100ÍòÓû§£¬½¨ÒéÓû§¾¡¿ì½«Jenkins¡¢Jenkins LTSÉý¼¶µ½°²È«°æ±¾¡£


0x02 ´ëÖý¨Òé


ÇëÉý¼¶µ½Jenkins 2.243»òJenkins LTS 2.235.5°æ±¾£¬ÏÂÔصØÖ·£º

https://www.jenkins.io/changelog-stable/


0x03 ÓйØÐÂÎÅ


https://securityaffairs.co/wordpress/107286/hacking/jenkins-information-disclosure.html?utm_source=rss&utm_medium=rss&utm_campaign=jenkins-information-disclosure


0x04 ²Î¿¼Á´½Ó


https://www.jenkins.io/security/advisory/2020-08-17/#SECURITY-1983


0x05 ¹¦·òÏß


2020-08-19 VSRC°ä²¼·ì϶¹«¸æ


GA»Æ½ð¼×¡¤(ÖйúÇø)¹Ù·½ÍøÕ¾