The maintainers of the open-source continuous integration/continuous delivery and deployment (CI/CD) automation software Jenkins have resolved nine security flaws, including a critical bug that, if successfully exploited, could result in remote code execution (RCE).
The issue, assigned the CVE identifier CVE-2024-23897, has been described as an arbitrary file read vulnerability through the built-in command line interface (CLI)
"Jenkins uses the args4j library to parse command arguments and options on the Jenkins controller when processing CLI commands," the maintainers said in a Wednesday advisory.
"This command parser has a feature that replaces an @ character followed by a file path in an argument with the file's contents (expandAtFiles). This feature is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable it."
A threat actor could exploit this quirk to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process.
While attackers with "Overall/Read" permission can read entire files, those without it can read the first three lines of the files depending on the CLI commands.
Additionally, the shortcoming could be weaponized to read binary files containing cryptographic keys, albeit with certain restrictions. Provided the binary secrets can be extracted, Jenkins says it could open the door to various attacks -
- Remote code execution via Resource Root URLs
- Remote code execution via "Remember me" cookie
- Remote code execution via stored cross-site scripting (XSS) attacks through build logs
- Remote code execution via CSRF protection bypass
- Decrypt secrets stored in Jenkins
- Delete any item in Jenkins
- Download a Java heap dump
"While files containing binary data can be read, the affected feature attempts to read them as strings using the controller process's default character encoding," Jenkins said.
"This is likely to result in some bytes not being read successfully and being replaced with a placeholder value. Which bytes can or cannot be read depends on this character encoding."
SonarSource security researcher Yaniv Nizry has been credited with discovering and reporting the flaw on November 13, 2023, which has been fixed in Jenkins 2.442, LTS 2.426.3 by disabling the command parser feature.
As a short-term workaround until the patch can be applied, it's recommended to turn off access to the CLI.
The development comes nearly a year after Jenkins addressed a pair of severe security vulnerabilities dubbed CorePlague (CVE-2023-27898 and CVE-2023-27905) that could lead to code execution on targeted systems.
Update
Proof-of-concept (PoC) exploits for CVE-2024-23897 have been published on GitHub following public disclosure of the flaw, making it essential that users update their installations to the latest version to prevent potential risks.