The maintainers of Jenkins, an open-source automation server widely used for continuous integration and delivery, have patched nine security vulnerabilities, including one critical issue that poses a serious risk of remote code execution (RCE). This vulnerability, identified as CVE-2024-23897, allows unauthorized users to read arbitrary files from the Jenkins controller’s file system through its command-line interface (CLI).
According to the security advisory released by the maintainers, the flaw arises from how Jenkins processes command-line arguments using the args4j library. This library includes a feature that expands paths prefixed with an @ symbol to read the file contents. This behavior is enabled by default and exists in Jenkins versions up to 2.441 and the long-term support version 2.426.2, both of which do not restrict this feature.
Threat actors can exploit this vulnerability to access sensitive files based on the permissions assigned within Jenkins. While users with full read privileges can access entire files, those without such permissions may still read the initial three lines, depending on the nature of the CLI command utilized. This malicious exploitation could potentially expose binary files containing valuable cryptographic keys, opening avenues for various types of attacks.
The potential ramifications of this vulnerability are considerable, including but not limited to remote code execution through resource root URLs, exploitation via “Remember me” cookies, and the ability to conduct stored cross-site scripting (XSS) attacks through build logs. Additionally, a compromised attacker could decrypt secured data within Jenkins, delete items, or download sensitive Java heap dumps.
Concerningly, even binary files that are read can be misinterpreted due to the manner in which Jenkins handles encoding. This results in some data potentially being lost, interpreted inaccurately, or replaced with placeholder values, depending on the chosen character encoding.
Discovered by security researcher Yaniv Nizry from SonarSource, the vulnerability was reported on November 13, 2023, and was subsequently addressed in Jenkins versions 2.442 and LTS 2.426.3, where the command parser feature was disabled by default as a remediation step. Until the update can be applied, the maintainers recommend temporarily disabling access to the CLI as a precaution.
This vulnerability surfaces nearly a year after Jenkins addressed critical security issues labeled “CorePlague,” which similarly posed risks of code execution on targeted systems (CVE-2023-27898 and CVE-2023-27905).
Following the disclosure of CVE-2024-23897, proof-of-concept exploits have been made publicly available, heightening the urgency for users to upgrade their Jenkins installations to mitigate potential risks.
In examining the adversarial tactics associated with such vulnerabilities, attackers may leverage methods categorized under the MITRE ATT&CK framework, particularly those relating to initial access and privilege escalation. The nature of this exploit suggests a sophisticated understanding of the software’s command parsing capabilities, indicating a calculated approach by adversaries to breach system defenses.
As the cybersecurity landscape continues to evolve, vigilance remains essential for business owners, particularly those utilizing widely-used software packages like Jenkins, to safeguard against vulnerabilities that could compromise their operational integrity.
