{"uuid": "33ab5c63-e219-446b-bd25-6bc835df9f90", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-27905", "type": "published-proof-of-concept", "source": "https://t.me/ptswarm/163", "content": "CorePlague: Severe Vulnerabilities in Jenkins Server Lead to RCE\n\n\ud83d\udc64 by Ilay Goldman and Yair Kadkoda\n\nAqua Nautilus researchers have discovered a chain of vulnerabilities, dubbed CorePlague, in the widely used Jenkins Server and Update Center (CVE-2023-27898, CVE-2023-27905). Exploiting these vulnerabilities could allow an unauthenticated attacker to execute arbitrary code on the victim's Jenkins server, potentially leading to a complete compromise of the Jenkins server.\n\n\ud83d\udcdd Contents:\n\u25cf The Research in a Nutshell\n\u25cf Frequently Asked Questions\n\u25cf Some Basic Jenkins Definitions\n\u25cf Improper Sanitation: The Jenkins Update Center\n\u25cf CVE-2023-27905\n\u25cf CVE-2023-27898\n\u25cf The Tiering Mechanism\n\u25cf From XSS to RCE\n\u25cf Bringing the malicious plugin to the front\n\u25cf Attack steps summary\n\u25cf Disclosure timeline\n\u25cf In Summary\n\nhttps://blog.aquasec.com/jenkins-server-vulnerabilities", "creation_timestamp": "2023-03-09T06:16:33.000000Z"}