CVE-2019-17638 | Jenkins Jetty×é¼þÇå¾²Îó²îͨ¸æ

Ðû²¼Ê±¼ä 2020-08-19

0x00 Îó²î¸ÅÊö



CVE   ID

CVE-2019-17638

ʱ    ¼ä

2020-08-19

Àà   ÐÍ


µÈ    ¼¶

ÑÏÖØ

Ô¶³ÌʹÓÃ

ÊÇ

Ó°Ïì¹æÄ£

Jenkins 2.224-2.242

Jenkins LTS 2.222.1-2.235.4



0x01 Îó²îÏêÇé


¿­·¢¡¤k8(ÖйúÓÎ)¹Ù·½ÍøÕ¾



¿ËÈÕJenkins¹Ù·½Ðû²¼Í¨¸æ£¬£¬£¬£¬£¬£¬£¬ÐÞ¸´ÁËÒ»¸öJenkins Jetty×é¼þÖеÄÇå¾²Îó²î£¨CVE-2019-17638£© ¡£¡£¡£¡£¸ÃÎó²îÔ´ÓÚJenkins 2.224ÖÁ2.242°æ±¾ºÍLTS 2.222.1ÖÁ2.235.4°æ±¾ÖÐ×Ô´øµÄJetty 9.4.27±£´æÇå¾²Îó²î£¨CVE-2019-17638£©£¬£¬£¬£¬£¬£¬£¬µ¼ÖÂδ¾­Éí·ÝÑéÖ¤µÄ¹¥»÷Õß¿É»ñÈ¡HTTPÏìÓ¦±êÍ·£¬£¬£¬£¬£¬£¬£¬´Ó¶ø»á¼ûµ½ÆäËûÓû§µÄÃô¸ÐÐÅÏ¢ ¡£¡£¡£¡£

JenkinsÊÇ×îÊܽӴýµÄ¿ªÔ´×Ô¶¯»¯Ð§ÀÍÆ÷Ö®Ò»£¬£¬£¬£¬£¬£¬£¬ÓÉCloudBeesºÍJenkinsά»¤ ¡£¡£¡£¡£×Ô¶¯»¯Ð§ÀÍÆ÷Ö§³Ö¿ª·¢Ö°Ô±¹¹½¨£¬£¬£¬£¬£¬£¬£¬²âÊԺͰ²ÅÅÆäÓ¦ÓóÌÐò£¬£¬£¬£¬£¬£¬£¬ËüÔÚÈ«ÇòÓµÓÐÊýÊ®Íò¸ö»î¶¯×°Ö㬣¬£¬£¬£¬£¬£¬ÓµÓÐÁè¼Ý100ÍòÓû§£¬£¬£¬£¬£¬£¬£¬½¨ÒéÓû§¾¡¿ì½«Jenkins¡¢Jenkins LTSÉý¼¶µ½Çå¾²°æ±¾ ¡£¡£¡£¡£


0x02 ´¦Öóͷ£½¨Òé


ÇëÉý¼¶µ½Jenkins 2.243»òJenkins LTS 2.235.5°æ±¾£¬£¬£¬£¬£¬£¬£¬ÏÂÔصص㣺

https://www.jenkins.io/changelog-stable/


0x03 Ïà¹ØÐÂÎÅ


https://securityaffairs.co/wordpress/107286/hacking/jenkins-information-disclosure.html?utm_source=rss&utm_medium=rss&utm_campaign=jenkins-information-disclosure


0x04 ²Î¿¼Á´½Ó


https://www.jenkins.io/security/advisory/2020-08-17/#SECURITY-1983


0x05 ʱ¼äÏß


2020-08-19 VSRCÐû²¼Îó²îͨ¸æ


¿­·¢¡¤k8(ÖйúÓÎ)¹Ù·½ÍøÕ¾