A security researcher from Conviso Labs published the technical details and a proof-of-concept (PoC) exploit for a critical vulnerability in Jenkin.
The vulnerability tracked as CVE-2024-43044 is classified as an arbitrary file read vulnerability, which allows an agent to read files from the Jenkins controller. The root cause lies in the Jenkins feature that permits the controller to transmit JAR files to its agents. The vulnerability exists because the ClassLoaderProxy#fetchJar method, invoked on the controller, fails to restrict the file paths that agents can request. This lack of restriction enables unauthorized file access on the controller’s file system.
The exploitation process begins by leveraging the hudson.remoting.RemoteClassLoader, which loads class files from a remote peer via a channel. Through this, the attacker accesses a Proxy object within the RemoteClassLoader, linked to a hudson.remoting.RemoteInvocationHandler. This handler then invokes the fetchJar method, triggering a Remote Procedure Call (RPC) to the controller.
On the controller side, the vulnerability is further exposed as the fetchJar method reads resources without validating the user-controlled URL. This critical oversight allows an attacker to bypass the Agent -> Controller Access Control system—a security feature designed to prevent unauthorized agent access to the controller, which has been active by default since Jenkins version 2.326.
Conviso Labs’ proof-of-concept (PoC) exploit demonstrates the serious implications of CVE-2024-43044. The attack sequence is as follows:
- The exploit initially acquires a reference to the hudson.remoting.RemoteClassLoader.
- Using this reference, the attacker creates a file reader to access specific files from the controller.
- The attacker reads three critical files to forge a cookie for a given user.
- The exploit then reads a list of Jenkins users, including detailed information like ID, timestamp, seed, and hash.
- Using the gathered data, the attacker forges a “remember-me” cookie for various users until access to the Jenkins Scripting Engine is obtained.
- With access to the scripting engine, the attacker can execute system commands on the Jenkins server.
- Finally, the exploit dumps usernames and hashes in a format ready for cracking using tools like John the Ripper.
This vulnerability has been addressed in Jenkins version 2.471, and in the long-term support (LTS) versions 2.452.4 and 2.462.1. Customers should upgrade immediately to remain safe.
