A critical vulnerability in the built-in command line interface (CLI) of Jenkins allows attackers to obtain cryptographic keys that can be used to execute arbitrary code remotely.
The issue, tracked as CVE-2024-23897, impacts Jenkins 2.441 and earlier and LTS 2.426.2 and earlier, because the command parser (the args4j library) has a feature where an ‘@’ character followed by a file path in an argument is replaced with the file’s content.
“This allows attackers to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process,” Jenkins warns in its advisory.
Unauthenticated attackers could exploit the security defect to read the first few lines of a file, while authenticated attackers, even those that only have ‘read-only’ permissions, can view the entire content of the file.
The flaw can be exploited to read the content of binary files that contain cryptographic keys which, under certain conditions, opens the door for several remote code execution (RCE) scenarios and allows attackers to decrypt stored secrets, delete items in Jenkins, and download a Java heap dump of the Jenkins controller process.
According to code quality firm Sonar, which discovered the vulnerability, the root cause of this issue is a call to a function that “reads the file in the path after the @ and expands a new argument for each line”.
An attacker would simply need to find “a command that takes an arbitrary number of arguments and displays these back to the user” and exploit the vulnerability to access the contents of the file the arguments are populated from.
By exploiting the bug, an attacker could read SSH keys, passwords, project secrets and credentials, source code, build artifacts, and other information, Sonar says.
Jenkins 2.442 and LTS 2.426.3 resolve the vulnerability by disabling the command parser feature. If updating to the latest releases is not possible, administrators are advised to disable access to the Jenkins CLI, which prevents exploitation completely, but only as a temporary workaround.
The latest Jenkins versions also resolve two high-severity bugs, including a cross-site WebSocket hijacking (CSWSH) bug leading to CLI command execution and an arbitrary file read in the Git Server Plugin that has an impact similar to that of CVE-2024-23897, but requires authentication for exploitation.
Jenkins also announced patches for several medium- and low-severity vulnerabilities in the open source automation server, as well as fixes for multiple high-severity vulnerabilities in various plugins, but warned that CVE-2024-23904, a Log Command Plugin flaw similar to CVE-2024-23897, remains unpatched.
Related: Jenkins Patches High-Severity Vulnerabilities in Multiple Plugins
Related: Jenkins Server Vulnerabilities Chained for Remote Code Execution
Related: Jenkins Says Confluence Service Compromised Using Recent Exploit