Aqua researchers discovered that Jenkins open source automation servers are being impacted by two severe vulnerabilities dubbed "CorePlague," which could be exploited to facilitate arbitrary code execution, reports The Hacker News. Both flaws, tracked as CVE-2023-27898 and CVE-2023-27905, stem from Jenkins' faulty processing of Update Center plugins and could be leveraged to enable malicious payload-laced plugins that could prompt cross-site scripting attacks, the report revealed. "Once the victim opens the 'Available Plugin Manager' on their Jenkins server, the XSS is triggered, allowing attackers to run arbitrary code on the Jenkins Server utilizing the Script Console API," said researchers. Threat actors could also activate the flaw even without plug-in installation. Moreover, self-hosted Jenkins servers, including those that are not connected to the internet, could also be impacted by attacks exploiting the flaws. Patches have already been issued by Jenkins to remediate the flaws for all versions of Jenkins prior to 2.319.2.