Jenkins has addressed a critical severity vulnerability (CVE-2024-23897) affecting Jenkins Core. Successful exploitation of the vulnerability may allow an attacker to perform remote code execution on target systems.
The vulnerability is being exploited in the wild. Many threat researchers have released the PoC for the vulnerability.
Jenkins is an open-source automation server that helps in Continuous Integration (CI) and Continuous Deployment (CD) by automating the building, testing, and deployment processes involved in software development. It is a server-based system that runs in servlet containers such as Apache Tomcat.
The vulnerability exists in the command parser feature of Jenkins core. Jenkins has a built-in command line interface (CLI) to access Jenkins from a script or shell environment.
When processing CLI commands, Jenkins parses command arguments and options on the Jenkins controller using the args4j library. One feature of this command parser is the ability to replace a @ character in an argument with the contents of the file (expandAtFiles) when the argument contains a file path. By default, this feature is enabled; Jenkins 2.441 and LTS 2.426.2 and older versions do not disable it
Exploiting the Jenkins controller process’s default character encoding enables attackers to access any file on the file system of the Jenkins controller.
Ways of exploitation of the vulnerability:
- An attacker with Overall/Read permission can read entire files.
- An attacker can view a file’s opening few lines if they don’t have the authorization to read it overall. The available CLI commands determine how many lines can be read. The Jenkins security team has discovered methods to read the first three lines of files in current Jenkins releases without the need for any installed plugins. At the time of the advisory’s publication, no plugins have been found that would increase this line count.
- Jenkins weekly up to and including 2.441
- Jenkins LTS up to and including LTS 2.426.2
Customers must upgrade to the following versions to patch the vulnerability:
- Jenkins weekly should be updated to version 2.442
- Jenkins LTS should be updated to version 2.426.3
Please refer to the Jenkins Security Advisory for more information.
Disabling access to the CLI would prevent exploitation completely. Administrators unable to update to Jenkins 2.442 LTS 2.426.3 should apply this workaround immediately. Applying this workaround does not require a Jenkins restart. For instructions, please refer to the documentation.
Qualys customers can scan their devices with QID 731109 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.