Bug 2303466 (CVE-2024-43044)

Summary: CVE-2024-43044 jenkins: Arbitrary file read vulnerability through agent connections can lead to RCE
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: cdaley, jchui, jobselko, ktsao, nboldt, rtaniwa, tkral
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the Remoting library in Jenkins core, which handles communication between the Jenkins controller and agents. The ClassLoaderProxy#fetchJar function may allow malicious agents or attackers with Agent/Connect permission to read arbitrary files from the Jenkins controller's file system due to insufficient path restrictions permissions, which could lead to Privilege Escalation and Remote Code Execution (RCE)
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2024-08-07 14:20:52 UTC 
Jenkins 2.470 and earlier, LTS 2.452.3 and earlier allows agent processes to read arbitrary files from the Jenkins controller file system by using the `ClassLoaderProxy#fetchJar` method in the Remoting library.
Comment 1 errata-xmlrpc 2024-08-14 15:44:27 UTC 
This issue has been addressed in the following products:

  OCP-Tools-4.15-RHEL-8

Via RHSA-2024:5405 https://access.redhat.com/errata/RHSA-2024:5405
Comment 2 errata-xmlrpc 2024-08-14 16:11:18 UTC 
This issue has been addressed in the following products:

  OCP-Tools-4.13-RHEL-8

Via RHSA-2024:5406 https://access.redhat.com/errata/RHSA-2024:5406
Comment 3 errata-xmlrpc 2024-08-14 17:39:09 UTC 
This issue has been addressed in the following products:

  OCP-Tools-4.14-RHEL-8

Via RHSA-2024:5411 https://access.redhat.com/errata/RHSA-2024:5411
Comment 4 errata-xmlrpc 2024-08-14 17:39:28 UTC 
This issue has been addressed in the following products:

  OCP-Tools-4.12-RHEL-8

Via RHSA-2024:5410 https://access.redhat.com/errata/RHSA-2024:5410