Users urgently need to take the recommended security measures to maintain control over their systems.
Jenkins, the developer of the popular open source software for automation of CI/CD processes (Continuous Integration/Continuous Delivery), has fixed 9 security vulnerabilities, including one critical one-CVE-2024-23897, which leads to Remote Code Execution( RCE).
CVE-2024-23897 is described as a vulnerability for reading an arbitrary file via the built-in command-line interface (Jenkins CLI). A special feature of the command parser used in Jenkins is to replace the " @ " character with the file content if the file path follows this character in the command argument. This feature is enabled by default in Jenkins 2.441 and earlier, as well as in LTS 2.426.2 and earlier, and was not disabled until recently.
Exploiting the vulnerability allows an attacker to read arbitrary files in the Jenkins controller file system using the standard character encoding of the controller process. If the attacker has "Overall/Read" rights, he can read the entire files, and without such rights-only the first 3 lines of files, depending on the CLI commands.
In addition, the flaw can be used to read binary files containing cryptographic keys, although with certain restrictions. Extracting secrets opens the way to various attacks:
Yaniv Nizri, a security researcher at Checkmarx, was recognized for discovering and reporting a vulnerability that was fixed in Jenkins 2.442 and LTS 2.426.3 by disabling the command parsing feature. As a temporary solution, until the fix is applied, we recommend disabling access to the CLI.
Jenkins, the developer of the popular open source software for automation of CI/CD processes (Continuous Integration/Continuous Delivery), has fixed 9 security vulnerabilities, including one critical one-CVE-2024-23897, which leads to Remote Code Execution( RCE).
CVE-2024-23897 is described as a vulnerability for reading an arbitrary file via the built-in command-line interface (Jenkins CLI). A special feature of the command parser used in Jenkins is to replace the " @ " character with the file content if the file path follows this character in the command argument. This feature is enabled by default in Jenkins 2.441 and earlier, as well as in LTS 2.426.2 and earlier, and was not disabled until recently.
Exploiting the vulnerability allows an attacker to read arbitrary files in the Jenkins controller file system using the standard character encoding of the controller process. If the attacker has "Overall/Read" rights, he can read the entire files, and without such rights-only the first 3 lines of files, depending on the CLI commands.
In addition, the flaw can be used to read binary files containing cryptographic keys, although with certain restrictions. Extracting secrets opens the way to various attacks:
- Remote code execution via resource root URLs;
- Remote code execution via the "Remember Me" cookie;
- Remote code execution using XSS attacks (Cross-Site Scripting, XSS) via build logs;
- Remote code execution bypassing CSRF protection (Cross-Site Request Forgery);
- Decryption of secrets stored in Jenkins;
- Deleting any element in Jenkins;
- Loading a Java heap dump.
Yaniv Nizri, a security researcher at Checkmarx, was recognized for discovering and reporting a vulnerability that was fixed in Jenkins 2.442 and LTS 2.426.3 by disabling the command parsing feature. As a temporary solution, until the fix is applied, we recommend disabling access to the CLI.
