CVE-2023-27904 — Information disclosure through error stack traces related to agents

Description

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier, and prior to LTS 2.387.1 prints an error stack trace on agent-related pages when agent connections are broken, potentially revealing information about Jenkins configuration that is otherwise inaccessible to attackers. Jenkins 2.394, LTS 2.375.4, and LTS 2.387.1 does not display error stack traces when agent connections are broken.

How to fix CVE-2023-27904

To remediate CVE-2023-27904, upgrade the affected package to a fixed version below.

—upgrade to 2.394.0 or later
—upgrade to 2.387.1 or later

Is CVE-2023-27904 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2.394.0
>= 2.376, < 2.387.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.1	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-27904
WEBgithub.com/CVEProject/cvelist/blob/master/2023/27xxx/CVE-2023-27904.json
WEBgithub.com/jenkinsci/jenkins/commit/40663588eea4ac953209bd8845b6b880792f92cc
WEBwww.jenkins.io/security/advisory/2023-03-08/#SECURITY-2120