The maintainers of Jenkins, an open-source continuous integration/continuous delivery and deployment (CI/CD) automation software, have rectified nine security vulnerabilities, one of which was critical and could potentially lead to remote code execution (RCE) if exploited successfully.
Identified as CVE-2024-23897, the critical flaw allows for arbitrary file read access via the built-in command line interface (CLI). Jenkins employs the args4j library to parse command arguments and options on its controller, inadvertently enabling a feature called “expandAtFiles,” which replaces a specific character sequence followed by a file path with the contents of that file. This feature is active by default in Jenkins versions 2.441 and earlier, as well as LTS 2.426.2 and earlier, leaving systems vulnerable to exploitation.
Malicious actors with appropriate permissions could exploit this vulnerability to read arbitrary files on the Jenkins controller’s file system. While attackers with “Overall/Read” permission could access entire files, those without it might only retrieve the first three lines, depending on the CLI commands used. Furthermore, the vulnerability could potentially allow access to binary files containing cryptographic keys, albeit with limitations.
Yaniv Nizry, a security researcher at SonarSource, discovered and reported the flaw on November 13, 2023. It has since been addressed in Jenkins versions 2.442 and LTS 2.426.3 by disabling the problematic command parser feature.
As a temporary measure until the patch can be applied, it is advised to disable access to the CLI.
This security issue comes approximately a year after Jenkins resolved two severe vulnerabilities known as CorePlague (CVE-2023-27898 and CVE-2023-27905), which also posed risks of code execution on targeted systems.