Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

PoC Exploit Published for Critical Jenkins Vulnerability

PoC exploit code targeting a critical Jenkins vulnerability patched last week is already publicly available.

Updating to the latest Jenkins versions has become imperative, as proof-of-concept (PoC) exploit code targeting a critical vulnerability patched last week is now publicly available.

Tracked as CVE-2024-23897 and affecting Jenkins versions before 2.442 and LTS 2.426.3, the security defect exists because the open source automation server’s command parser has a feature that replaces an ‘@’ character followed by a file path in an argument with the file’s contents.

The flaw allows unauthenticated attackers to read the first few lines of arbitrary files on the Jenkins controller file system and enables authenticated attackers to read the full contents of files.

Last week, Jenkins warned that attackers could exploit the vulnerability to read cryptographic keys stored within binary files and that, under certain conditions, these keys could be used to execute arbitrary code remotely, decrypt secrets, and perform other unauthorized actions.

Code quality platform Sonar, which identified the issue, said last week that successful exploitation of the bug could allow attackers to read build artifacts, passwords, project secrets, SSH keys, source code, and other sensitive information.

Within days after Jenkins announced patches for this and several other vulnerabilities, and after Sonar published a technical writeup on CVE-2024-23897, PoC code targeting the critical issue was published on GitHub, easing the path to malicious exploitation.

The PoC code allows authenticated attackers to retrieve the full contents of files, while unauthenticated attackers can use it to read the first three lines of a file.

Organizations are urged to update to Jenkins versions 2.442 or LTS 2.426.3, which resolve the bug by disabling the problematic feature in the command parser. As a temporary workaround, administrators can disable access to the built-in command line interface (CLI) of Jenkins, which prevents exploitation.

Advertisement. Scroll to continue reading.

Designed for building, deploying, and automating software projects, Jenkins had an estimated 44% share of the continuous integration and continuous delivery (CI/CD) market last year, making it a highly attractive target for threat actors.

Related: PoC Code Published for Just-Disclosed Fortra GoAnywhere Vulnerability

Related: Recent Juniper Flaws Chained in Attacks Following PoC Exploit Publication

Related: PoC Exploit Published for Recent Ubiquiti EdgeRouter Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.