This advisory announces vulnerabilities in the following Jenkins deliverables:
Jenkins bundles Winstone-Jetty, a wrapper around Jetty, to act as HTTP and servlet server when started using
java -jar jenkins.war.
This is how Jenkins is run when using any of the installers or packages, but not when run using servlet containers such as Tomcat.
Jenkins 2.427 and earlier, LTS 2.414.2 and earlier bundles versions of Jetty affected by the security vulnerabilities CVE-2023-36478 and CVE-2023-44487. These vulnerabilities allow unauthenticated attackers to cause a denial of service.
This only affects instances that enable HTTP/2, typically using the
--http2Port argument to
java -jar jenkins.war or corresponding options in service configuration files.
It is disabled by default in all native installers and the Docker images provided by the Jenkins project.
Jenkins 2.428, LTS 2.414.3 updates the bundled Jetty to version 10.0.17, which is unaffected by these issues.
Administrators unable to update to these releases of Jenkins (or newer) are advised to disable HTTP/2.
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.