Critical Jenkins vulnerability exposes servers to RCE attacks

Critical Jenkins Vulnerability

The maintainers of the open source continuous integration/continuous delivery and deployment (CI/CD) automation software Jenkins have fixed nine security flaws, including a critical bug that, if successfully exploited, could result in remote code execution (RCE).

The issue to which the CVE ID is assigned CVE-2024-23897has been described as a vulnerability when reading arbitrary files via the built-in command line interface (CLI)

“Jenkins uses the args4j library to parse command arguments and options on the Jenkins controller when processing CLI commands,” the maintainers said said in an advisory issued on Wednesday.

“This command parser has a feature that replaces an @ sign followed by a file path in an argument containing the contents of the file (expandAtFiles). This feature is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier do not enable it out .”

A threat actor could exploit this quirk to read arbitrary files on the Jenkins controller file system using the standard character encoding of the Jenkins controller process.

While attackers with the “Overall/Read” permission can read entire files, attackers without this permission can read the first three lines of the files, depending on the CLI commands.

Furthermore, the flaw could be leveraged to read binaries containing cryptographic keys, albeit with certain limitations. Provided the binary secrets can be extracted, Jenkins says, this could open the door to several attacks –

  • Remote code execution via Resource Root URLs
  • Remote code execution via “Remember me” cookie
  • Remote code execution via stored cross-site scripting (XSS) attacks via build logs
  • Remote code execution via CSRF security bypass
  • Decrypt secrets stored in Jenkins
  • Delete every item in Jenkins
  • Download a Java heap dump

“Although files containing binary data can be read, the affected function attempts to read them as strings using the controller process’s standard character encoding,” Jenkins said.

“This will likely result in some bytes not being read successfully and being replaced with a placeholder value. Which bytes can or cannot be read depends on this character encoding.”

Security researcher Yaniv Nizry is credited with discovering and reporting the flaw, which is fixed in Jenkins 2.442, LTS 2.426.3 by disabling the command parser feature.

As a workaround until the patch can be applied, it is recommended that you disable access to the CLI.

The development comes nearly a year after Jenkins addressed a pair of serious security vulnerabilities called CorePlague (CVE-2023-27898 and CVE-2023-27905), which could lead to code execution on targeted systems.

#Critical #Jenkins #vulnerability #exposes #servers #RCE #attacks

Notify of
Inline Feedbacks
View all comments
Previous Post
LODEINFO Fileless Malware

LODEINFO Fileless malware evolves with anti-analysis and remote code tricks

Next Post
Hackers Hijack Software Updates

China-backed hackers hijack software updates to implant ‘NSPX30’ spyware

Related Posts