Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Critical Jenkins Vulnerability Leads to Remote Code Execution

A critical vulnerability in Jenkins’ built-in CLI allows remote attackers to obtain cryptographic keys and execute arbitrary code.

A critical vulnerability in the built-in command line interface (CLI) of Jenkins allows attackers to obtain cryptographic keys that can be used to execute arbitrary code remotely.

The issue, tracked as CVE-2024-23897, impacts Jenkins 2.441 and earlier and LTS 2.426.2 and earlier, because the command parser (the args4j library) has a feature where an ‘@’ character followed by a file path in an argument is replaced with the file’s content.

“This allows attackers to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process,” Jenkins warns in its advisory.

Unauthenticated attackers could exploit the security defect to read the first few lines of a file, while authenticated attackers, even those that only have ‘read-only’ permissions, can view the entire content of the file.

The flaw can be exploited to read the content of binary files that contain cryptographic keys which, under certain conditions, opens the door for several remote code execution (RCE) scenarios and allows attackers to decrypt stored secrets, delete items in Jenkins, and download a Java heap dump of the Jenkins controller process.

According to code quality firm Sonar, which discovered the vulnerability, the root cause of this issue is a call to a function that “reads the file in the path after the @ and expands a new argument for each line”.

An attacker would simply need to find “a command that takes an arbitrary number of arguments and displays these back to the user” and exploit the vulnerability to access the contents of the file the arguments are populated from.

By exploiting the bug, an attacker could read SSH keys, passwords, project secrets and credentials, source code, build artifacts, and other information, Sonar says.

Advertisement. Scroll to continue reading.

Jenkins 2.442 and LTS 2.426.3 resolve the vulnerability by disabling the command parser feature. If updating to the latest releases is not possible, administrators are advised to disable access to the Jenkins CLI, which prevents exploitation completely, but only as a temporary workaround.

The latest Jenkins versions also resolve two high-severity bugs, including a cross-site WebSocket hijacking (CSWSH) bug leading to CLI command execution and an arbitrary file read in the Git Server Plugin that has an impact similar to that of CVE-2024-23897, but requires authentication for exploitation.

Jenkins also announced patches for several medium- and low-severity vulnerabilities in the open source automation server, as well as fixes for multiple high-severity vulnerabilities in various plugins, but warned that CVE-2024-23904, a Log Command Plugin flaw similar to CVE-2024-23897, remains unpatched.

Related: Jenkins Patches High-Severity Vulnerabilities in Multiple Plugins

Related: Jenkins Server Vulnerabilities Chained for Remote Code Execution

Related: Jenkins Says Confluence Service Compromised Using Recent Exploit

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.