The Jenkins automation server has been identified with a critical vulnerability, CVE-2024-23897, affecting the command-line interface (CLI) functionality. The flaw, which is inherent in the way Jenkins uses the args4j library to parse command arguments, allows attackers to read arbitrary files on the Jenkins controller file system. Notably, the vulnerability hinges on the misuse of an ‘@’ character followed by a file path in an argument, leading to unauthorized file content exposure.
Technical Details:
CVE-2024-23897 arises due to a feature in the Jenkins CLI that inadequately handles the ‘@’ character followed by a file path, allowing attackers to exploit the feature for arbitrary file reading. This vulnerability affects Jenkins versions up to 2.441 and LTS versions up to 2.426.2. The exposure enables attackers, based on their permission levels, to read entire files or merely the first few lines, potentially revealing sensitive data and cryptographic keys. This vulnerability also extends to the reading of binary files, which, depending on the file’s encoding, could lead to various RCE scenarios, including but not limited to:
- Executing arbitrary code via different methods (Resource Root URLs, “Remember me” cookies).
- Launching stored cross-site scripting (XSS) attacks through build logs.
- Decrypting secrets stored in Jenkins.
- Deleting items or downloading a Java heap dump from Jenkins.
Severity:
The vulnerability has been assigned a Common Vulnerability Scoring System (CVSS) score of 9.8, categorizing it as critical. This score reflects the potential for remote code execution (RCE), decryption of stored secrets, and other malicious activities that can be conducted by exploiting this flaw.
Attack Scenarios and Impact:
CVE-2024-23897 opens multiple attack vectors, leveraging the ability to obtain cryptographic keys and other sensitive data from binary files. The confirmed possible attacks include, but are not limited to:
- RCE through Resource Root URLs.
- RCE via “Remember me” cookie.
- RCE through stored cross-site scripting (XSS) in build logs.
- CSRF protection bypass leading to RCE.
- Decrypting secrets stored in Jenkins.
- Deletion of items in Jenkins.
- Downloading a Java heap dump of the Jenkins controller process.
Mitigation and Recommendations:
Jenkins has addressed the issue in versions 2.442 and LTS 2.426.3 by disabling the vulnerable command parser feature. However, the wide use and critical nature of Jenkins necessitate immediate action from administrators. Recommended mitigation steps include:
- Updating Jenkins instances to the patched versions immediately.
- As a temporary measure until the patch can be applied, disable access to the Jenkins CLI to prevent exploitation.
- Regularly monitor and audit systems for unusual activities or signs of compromise.
- Verify the encoding settings, as the success of file reading depends on the encoding, with UTF-8 and Windows-1252 having different implications for the data that can be successfully read.
Given the severity of CVE-2024-23897 and its potential impact on Jenkins, a widely used automation server in software development workflows, it’s crucial for organizations to promptly apply the provided patches and adhere to the recommended security practices. Continuous vigilance, regular security assessments, and adherence to security best practices are paramount in mitigating the risks associated with this vulnerability.
Stay safe and informed,
OP Innovate.
