Jenkins has released the patch for a critical vulnerability that could result in remote code execution.
The vulnerability tracked as CVE-2024-23897, with a CVSS score of 9.8, resides within Jenkins’ built-in command line interface (CLI), has sent ripples of concern across the IT landscape. This vulnerability, with a CVSS score of 9.8, opens the door to arbitrary file reads the CLI, potentially culminating in remote code execution.
Jenkins’ depends on the args4j library for parsing command arguments and options on the Jenkins controller when processing CLI commands. A benign feature, designed to enhance utility by replacing an “@” character followed by a file path in an argument with the file’s contents, has become a Pandora’s box. Enabled by default and unchecked in versions up to 2.441 and LTS 2.426.2, “this allows attackers to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process.”
Jenkins security team discovered methods enabling the reading of the first three lines of files in the latest Jenkins versions, even in the absence of any installed plugins. Furthermore, no plugins have been identified that would extend the number of lines accessible.
From exploiting the “Resource Root URL” functionality to crafting a “Remember me” cookie that impersonates an administrator account, the avenues for exploitation are as varied as they are perilous. Each variant of the attack demands a unique set of conditions, from accessible CLI WebSocket endpoints to the retrieval of binary secrets.
Jenkins has released a patch in versions 2.442 LTS and 2.426.3, disabling the command parser feature that facilitated this vulnerability. Administrators seeking immediate relief but unable to upgrade may migrate this flaw by disabling CLI access altogether—a recommended interim measure that does not require a Jenkins restart.
