Article Details

Critical Jenkins Vulnerability Exposes Servers to RCE Attacks - Patch ASAP!. The maintainers of the open-source continuous integration/continuous delivery and deployment (CI/CD) automation software Jenkins have resolved nine security flaws, including a critical bug that, if successfully exploited, could result in remote code execution (RCE). The issue, assigned the CVE identifier CVE-2024-23897, has been described as an arbitrary file read vulnerability through the built-in command line interface (CLI) "Jenkins uses the args4j library to parse command arguments and options on the Jenkins controller when processing CLI commands," the maintainers said in a Wednesday advisory. "This command parser has a feature that replaces an @ character followed by a file path in an argument with the file's contents (expandAtFiles). This feature is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable it." A threat actor could exploit this quirk to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process. While attackers with "Overall/Read" permission can read entire files, those without it can read the first three lines of the files depending on the CLI commands. Additionally, the shortcoming could be weaponized to read binary files containing cryptographic keys, albeit with certain restrictions. Provided the binary secrets can be extracted, Jenkins says it could open the door to various attacks - "While files containing binary data can be read, the affected feature attempts to read them as strings using the controller process's default character encoding," Jenkins said. "This is likely to result in some bytes not being read successfully and being replaced with a placeholder value. Which bytes can or cannot be read depends on this character encoding." Security researcher Yaniv Nizry has been credited with discovering and reporting the flaw, which has been fixed in Jenkins 2.442, LTS 2.426.3 by disabling the command parser feature. As a short-term workaround until the patch can be applied, it's recommended to turn off access to the CLI. The development comes nearly a year after Jenkins addressed a pair of severe security vulnerabilities dubbed CorePlague (CVE-2023-27898 and CVE-2023-27905) that could lead to code execution on targeted systems. SaaS Security Masterclass: Insights from 493 Companies Watch this webinar to discover Critical SaaS Security Do's and Don'ts based on a study of 493 companies, offering real-world comparisons and benchmarks.