Jenkins uses the library org.kohsuke.stapler:json-lib to process JSON. This library is the Jenkins project’s fork of net.sf.json-lib:json-lib, which has since been renamed to org.kordamp.json:json-lib-core. Jenkins LTS 2.479.1 and earlier, 2.486 and earlier bundles org.kohsuke.stapler:json-lib 2.4-jenkins-7 or earlier. These releases are affected by CVE-2024-47855. In Jenkins (without plugins) this allows attackers with Overall/Read permission to keep HTTP requests handling threads busy indefinitely, using system resources and preventing legitimate users from using Jenkins. Additionally, the Jenkins security team has identified multiple plugins that allow attackers lacking Overall/Read permission to do the same. These plugins include SonarQube Scanner and Bitbucket. Additionally, other features of Jenkins or plugins that process user-provided JSON may be affected, resulting in those features being blocked. The fix for CVE-2024-47855 in org.kordamp.json:json-lib-core has been backported to org.kohsuke.stapler:json-lib and released in version 2.4-jenkins-8. Jenkins LTS 2.479.2, 2.487 bundles org.kohsuke.stapler:json-lib 2.4-jenkins-8.
