The developer of the popular open software for automation CI/CD processes, Jenkins, has announced that several vulnerabilities have been discovered in its security system, including one critical vulnerability called CVE-2024-23897. This vulnerability allows for remote code execution (RCE) by reading an arbitrary file through Jenkins’ command line interface (CLI). The vulnerability is due to a feature in the parser used by Jenkins, which replaces the symbol “@” with the contents of the file if the path to the file follows this symbol in the command argument. This feature is enabled by default in versions of Jenkins 2.441 and earlier, as well as LTS 2.426.2 and earlier.
An attacker exploiting this vulnerability can read arbitrary files in the Jenkins controller file system using the standard encoding of the controller process symbols. The extent of the files that can be read depends on the attacker’s permissions. With the “Overall/Read” rights, the attacker can read the entire file, while without such rights, only the first three lines of the file can be accessed, depending on the CLI commands.
Furthermore, this vulnerability can also be used to access binary files containing cryptographic keys, although certain restrictions apply. The disclosure of these secrets opens up the possibility of various attacks, including remote code execution through root URL resources, remote code execution through the “remember me” cookie, remote code execution using XSS attacks, remote code execution through CSRF protection bypass, deciphering stored secrets, removing elements in Jenkins, and loading Dampa Heaps Java.
Security researcher Yaniv Nobry was credited with discovering and reporting this vulnerability, which has been patched in versions Jenkins 2.442 and LTS 2.426.3 through the disabling of command syntax analysis. As a temporary solution, it is advised to disable access to the CLI until the necessary updates are applied.