The maintainers of open source continuous integration/continuous delivery and deployment (CI/CD) automation software Jenkins have addressed nine security vulnerabilities, including a critical bug that, if successfully exploited, could lead to remote code execution (RCE) .
This issue has been assigned a CVE identifier CVE-2024-23897described as a vulnerability that reads arbitrary files through the built-in command line interface (CLI)
“When processing CLI commands, Jenkins uses the args4j library to parse command arguments and options on the Jenkins controller,” maintainers said in Wednesday’s announcement.
“This command parser has a feature that replaces the @ character followed by the file path in the parameter with the file content (expandAtFiles). This feature is enabled by default for Jenkins 2.441 and earlier, LTS 2.426.2 and earlier It will not be deactivated”.
Threat actors can exploit this quirk to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller program.
While an attacker with “overall/read” permissions can read the entire file, an attacker without this permission can read the first three lines of the file based on CLI commands.
Additionally, the flaw can be weaponized to read binary files containing encryption keys, albeit with certain limitations. Jenkins said that as long as the binary secret can be extracted, it opens the door to a variety of attacks –
- Remotely execute code through resource root URL
- Remotely execute code through “remember me” cookies
- Cross-site scripting (XSS) attacks via built-in log storage to remotely execute code
- Bypass remote code execution through CSRF protection
- Decrypt secrets stored in Jenkins
- Delete any project in Jenkins
- Download Java heap dump
“While it is possible to read files containing binary data, the affected functionality attempts to read them as strings using the default character encoding of the controller process,” Jenkins said.
“This will most likely result in some bytes not being read successfully and being replaced with placeholder values. Which bytes can or cannot be read depends on this character encoding.”
Security researcher Yaniv Nizry is believed to have discovered and reported the flaw, which has been fixed in Jenkins 2.442, LTS 2.426.3 by disabling the command parser function.
As a short-term workaround before applying the patch, it is recommended to turn off access to the CLI.
Nearly a year ago, Jenkins resolved two serious security vulnerabilities called CorePlague (CVE-2023-27898 and CVE-2023-27905) that could lead to code execution on the target system.
