Jenkins is an open-source automation server that is based on Java used for continuous integration and continuous delivery processes. Threat actors target Jenkins due to its widespread use in software development pipelines.
The widespread use of it provides an opportunity for threat actors to exploit vulnerabilities and gain unauthorized access to sensitive data, allowing them to potentially disrupt and compromise software development workflows.
Recently, the researchers’ team at Jenkins uncovered a critical vulnerability that is tracked as “CVE-2024-23897,” with a CVSS score of 9.8 in Jenkins that enables threat actors to execute remote code.
Flaw Profile
- CVE ID: CVE-2024-23897
- CVSS score: 9.8
- Severity: CRITICAL
- Descriptions: Arbitrary file read vulnerability through the CLI can lead to RCE
- SECURITY-3314
Critical Jenkins Vulnerability
Jenkins vulnerability arises from a default-enabled parser feature, ‘expandAtFiles,’ in CLI that impacts versions 2.441 and earlier.
Exploiting an arbitrary file reads the issue, and then the attackers can access the file system through the args4j library, which potentially compromises the system’s security.
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .
CVE-2023-23897 permits Overall/Read permission holders to read entire files, while others can access the first few lines based on CLI commands.
Reading binary files with cryptographic keys is possible with restrictions. Jenkins warns of potential RCE attacks that require access to cryptographic keys from binary files for execution.
The Jenkins team found a way to read the first three lines in recent releases without plugins. However, no identified plugins increase this line count at the moment.
The confirmed attacks include reading all files with a known path and leveraging attackers’ ability to get cryptographic keys from binary files.
Capabilities
Here below, we have mentioned all the capabilities that this critical flaw enables the attackers:-
- Remote code execution via Resource Root URLs
- Remote code execution via “Remember me” cookie
- Remote code execution via stored cross-site scripting (XSS) attacks through build logs
- Remote code execution via CSRF protection bypass
- Decrypt secrets stored in Jenkins
- Delete any item in the Jenkins
- Download a Java heap dump
Besides this, the reading success relies on encoding with UTF-8 replacing half of the unreadable bytes, making it tough for attackers.
Windows-1252 replaces only 5 out of 256 values, significantly reducing the options. To identify and update Jenkins promptly to mitigate risks make sure to check file.encoding value in Manage Jenkins > System Info.
Other Flaws Detected
Here below, we have mentioned all the other vulnerabilities detected:-
- CVE-2024-23898 with CVSS 8.8, is a cross-site WebSocket hijacking vulnerability in the CLI.
- CVE-2024-23899 with CVSS 8.8, is an arbitrary file read vulnerability in Git server Plugin can lead to RCE.
- CVE-2023-6148 with CVSS 8.0, is a stored XSS vulnerability in Qualys Policy Compliance Scanning Connector Plugin.
- CVE-2024-23905 with CVSS 8.0, is a content-Security-Policy protection for user content disabled by Red Hat Dependency Analytics Plugin.
- CVE-2024-23904 with CVSS 7.5, is an arbitrary file read vulnerability in Log Command Plugin.
- CVE-2023-6147 with CVSS 7.1, is a XXE vulnerability in Qualys Policy Compliance Scanning Connector Plugin.
In Jenkins 2.442/LTS 2.426.3, the CVE-2024-23897 vulnerability has been fixed by disabling the command parser. Admins can undo by setting hudson.cli.CLICommand.allowAtSyntax to true, but it’s not advised, especially for open networks.
However, if the admin is unable to update Jenkins now, then as a workaround, they can temporarily block the CLI access.