www.belgium.be Logo of the federal government

Critical Jenkins Server Vulnerability Could Leak Sensitive Information

Advisory #2020-028
Affected software: 
Jenkins weekly up to and including 2.242
Jenkins LTS up to and including 2.235.4
Disclosure of Sensitive data

CVE-2019-17638 - CVSS: 9.4




An unauthenticated attacker is able to obtain HTTP response headers that may include sensitive data intended for another user.


The vulnerability resides in the Winstone-Jetty wrapper that acts as an HTTP & Servlet server. The flaw resides in a buffer overflow that is not properly sanitized.

When the software throws an exception to throw an HTTP 431 error, it releases the HTTP response headers to the buffer pool twice.
These two threads can acquire the same buffer from the pool at the same time enabling one request to access a response written by the other thread.

This response can contain session identifiers, authentication credentials, and other sensitive information.

Recommended Actions

CERT.be recommends system administrators to apply the latest patches released by the vendor as soon as possible.
When patching, external facing systems should be prioritised.

Patched versions of the affected components are available at the Jenkins download page

Jenkins weekly releases should be updated to version 2.243
Jenkins LTS releases should be updated to version 2.235.5

link: https://www.jenkins.io/download/