Critical RCE flaw in Jenkins, Patch Now!

A critical vulnerability has been identified in Jenkins, an open-source continuous integration/continuous delivery and deployment (CI/CD) automation software. The flaw, assigned the identifier CVE-2024-23897, is an arbitrary file read vulnerability that affects the built-in Command Line Interface (CLI) of Jenkins.

Image Credit: Jenkins

Technical Details:

Jenkins uses the args4j library to parse command arguments and options on the Jenkins controller when processing CLI commands. This command parser has a feature that replaces an ‘@’ character followed by a file path in an argument with the file’s contents. This feature is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable it.

An attacker could exploit this quirk to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process. While attackers with “Overall/Read” permission can read entire files, those without it can read the first three lines of the files depending on the CLI commands.

Impact

The flaw can be exploited to read the content of binary files that contain cryptographic keys. Under certain conditions, this opens the door for several remote code execution (RCE) scenarios and allows attackers to decrypt stored secrets, delete items in Jenkins, and download a Java heap dump of the Jenkins controller process.

Mitigation

The flaw has been fixed in Jenkins 2.442, LTS 2.426.3 by disabling the command parser feature. As a short-term workaround until the patch can be applied, it’s recommended to turn off access to the CLI.

Conclusion

This vulnerability underscores the importance of regular patching and updating of software to protect against potential security threats. Users of Jenkins are urged to update their systems to the latest version to mitigate this critical vulnerability.

References

NVD – CVE-2024-23897: Critical Jenkins Vulnerability Exposes Servers to RCE Attacks – Patch ASAP!: Excessive Expansion: Uncovering Critical Security Vulnerabilities in Jenkins: Critical Jenkins Vulnerability Leads to Remote Code Execution: Critical Jenkins CLI File Read Vulnerability Could Lead to RCE Attacks

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it.