Jenkins, the widely used open-source automation server maintained by CloudBees and the Jenkins community, has recently addressed nine security vulnerabilities, among them a critical flaw tracked as CVE-2024-23897, posing a significant risk of remote code execution (RCE). Researcher Yaniv Nizry from Sonar provided a detailed analysis of the issue.
Overview
The Jenkins automation server, supporting developers worldwide in building, testing, and deploying applications, boasts hundreds of thousands of active installations and over 1 million users.
Vulnerability Details
The security flaw (CVE-2024-23897) revolves around Jenkins’ built-in command line interface (CLI), utilizing the args4j library to parse CLI command arguments. The flaw, present in versions up to 2.441 and LTS 2.426.2, involves the ‘expandAtFiles’ feature, which replaces the ‘@’ character followed by a file path in an argument with the file’s content.
An attacker can exploit the default character encoding to read arbitrary files on the controller file system. The severity of the compromise varies based on the attacker’s permission level:
- Attackers with “Overall/Read” permission can read entire files.
- Attackers without this permission can read the first three lines of files, depending on available CLI commands.
Advisory Notes
The advisory includes the following key points:
- Attackers with Overall/Read permission can read entire files.
- Attackers without Overall/Read permission can read the first few lines of files, with the line count depending on available CLI commands.
- Exploiting this flaw may allow access to binary files containing cryptographic keys with certain limitations.
Potential Exploits
Upon obtaining binary secrets, an attacker could carry out various attacks, including but not limited to:
- Remote code execution via Resource Root URLs.
- Remote code execution via the “Remember me” cookie.
- Remote code execution via stored cross-site scripting (XSS) attacks through build logs.
- Remote code execution via CSRF protection bypass.
- Decrypt secrets stored in Jenkins.
- Delete any item in Jenkins.
- Download a Java heap dump.
Resolution
The Jenkins maintainers have addressed the issue in versions 2.442 and LTS 2.426.3 by disabling the command parser feature. Additionally, the advisory recommends turning off access to the CLI as a workaround.