CVE-2024-23898: 
Java vulnerability analysis and mitigation

A cross-site WebSocket hijacking (CSWSH) vulnerability was discovered in Jenkins versions 2.217 through 2.441 and LTS 2.222.1 through 2.426.2. The vulnerability (CVE-2024-23898) was discovered by Yaniv Nizry from SonarSource and reported on January 24, 2024. The vulnerability affects the CLI WebSocket endpoint in Jenkins, which is enabled when running on supported Jetty versions, including native installers, packages, Docker containers, or when running Jenkins with the java -jar jenkins.war command (Jenkins Advisory, SonarSource Blog).

The vulnerability stems from Jenkins' failure to perform origin validation of requests made through the CLI WebSocket endpoint. Additionally, Jenkins does not set an explicit SameSite attribute for session cookies, which can allow cross-site requests to utilize the session cookie with the logged-in user's authentication. The vulnerability has been assigned a CVSS score of 8.8 (High) (CERT-EU).

The impact varies depending on the permissions of the anonymous user and the browsers used by the victims. If the anonymous user has permissions (e.g., with 'Anyone can do anything' authorization strategy), attackers can execute CLI commands including Groovy scripting capabilities, potentially leading to arbitrary code execution. For users with browsers where SameSite cookie attribute Lax is not the default, attackers can execute CLI commands with the victim's permissions, potentially achieving arbitrary code execution if the victim is a Jenkins administrator (Jenkins Advisory).

Jenkins has released version 2.442, LTS 2.426.3, and LTS 2.440.1 which implement origin validation for requests made through the CLI WebSocket endpoint. For those unable to update immediately, two workarounds are available: 1) Disable CLI access completely, which prevents exploitation and doesn't require a restart, or 2) Prevent WebSocket access using a reverse proxy by configuring it to not upgrade requests. The fix can be disabled if needed by setting the Java system property hudson.cli.CLIAction.ALLOW_WEBSOCKET to true, though this is not recommended (Jenkins Advisory).