The U.S. CISA added a Jenkins Command Line Interface (CLI) Path Traversal vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.
Jenkins has addressed the vulnerability tracked as CVE-2024-23897, with a CVSS score of 9.8 following a PoC Exploit public release that could lead to remote code execution.
Jenkins has a built-in command line interface to access the platform from a script or shell environment. It uses the args4j library to parse CLI command arguments and options on the Jenkins controller. The parser uses a functionality that replaces the ‘@’ character, followed by a file path in an argument with the content of the file (‘expandAtFiles’). This feature is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2, and earlier, it does not disable it.
Threat actors can be able to abuse the default character encoding of the Jenkins controller process to read arbitrary files on the controller file system that enables the threat actor with “Overall/Read” permission can read entire files, while an attacker without it can read the first three lines of the files depending on the CLI commands.
The hard truth lies behind is that exploiting this flaw makes it possible to read binary files containing cryptographic keys used for various Jenkins features.
Researchers warned of a massive exploitation of the vulnerability, querying Shodan, he found more than 75000 internet-facing instances.
CISA orders federal agencies to fix this vulnerability by September 9, 2024
