Nine security weaknesses have been fixed by the Jenkins open-source continuous integration/continuous delivery and deployment (CI/CD) automation software maintainers. One of the major bugs might potentially lead to remote code execution (RCE) if it is successfully exploited.
The problem, which has been given the CVE-2024-23897 designation, is characterized as an arbitrary file read vulnerability that may be exploited using the integrated command line interface (CLI).
The maintainers stated in a Wednesday advisory that “Jenkins uses the args4j library to parse command arguments and options on the Jenkins controller when processing CLI commands.”
An @ character and a file path in an argument are replaced with the contents of the file using this command parser’s feature (expandAtFiles). Jenkins 2.441 and before, as well as LTS 2.426.2 and prior, do not disable this option by default.
By exploiting the Jenkins controller process’ default character encoding, a threat actor might take advantage of this peculiarity to read any file on the file system of the Jenkins controller.
Depending on the CLI commands used, attackers with “Overall/Read” access can view the full file; those without it can only view the first three lines.
Furthermore, with some limitations, the vulnerability may be used as a weapon to read binary files that include cryptographic keys. Jenkins claims that if the binary secrets are retrieved, it may allow for a number of other types of assaults:
- Remote code execution via Resource Root URLs
- Remote code execution via “Remember me” cookie
- Remote code execution via stored cross-site scripting (XSS) attacks through build logs
- Remote code execution via CSRF protection bypass
- Decrypt secrets stored in Jenkins
- Delete any item in Jenkins
- Download a Java heap dump
“While files containing binary data can be read, the affected feature attempts to read them as strings using the controller process’s default character encoding,” Jenkins stated.
“A placeholder value will probably be used in lieu of certain bytes that cannot be correctly read as a result of this. This character encoding determines which bytes are readable and which are not.”
The vulnerability was found and reported by security researcher Yaniv Nizry. Jenkins 2.442, LTS 2.426.3 provides the remedy, which disables the command parser functionality.
It is advised to disable access to the CLI as a temporary solution until the fix can be implemented.
The update was released over a year after Jenkins patched two serious security flaws known as CorePlague (CVE-2023-27898 and CVE-2023-27905), which may have allowed code execution on the computers they were intended for.
