The maintainers of the open-source steady integration/steady supply and deployment (CI/CD) automation software program Jenkins have resolved 9 safety flaws, together with a important bug that, if efficiently exploited, may end in distant code execution (RCE).
The problem, assigned the CVE identifier CVE-2024-23897, has been described as an arbitrary file learn vulnerability by means of the built-in command line interface (CLI)
“Jenkins makes use of the args4j library to parse command arguments and choices on the Jenkins controller when processing CLI instructions,” the maintainers stated in a Wednesday advisory.
“This command parser has a function that replaces an @ character adopted by a file path in an argument with the file’s contents (expandAtFiles). This function is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier doesn’t disable it.”
A risk actor may exploit this quirk to learn arbitrary information on the Jenkins controller file system utilizing the default character encoding of the Jenkins controller course of.
Whereas attackers with “Total/Learn” permission can learn complete information, these with out it will probably learn the primary three traces of the information relying on the CLI instructions.
Moreover, the shortcoming might be weaponized to learn binary information containing cryptographic keys, albeit with sure restrictions. Offered the binary secrets and techniques could be extracted, Jenkins says it may open the door to numerous assaults –
- Distant code execution through Useful resource Root URLs
- Distant code execution through “Bear in mind me” cookie
- Distant code execution through saved cross-site scripting (XSS) assaults by means of construct logs
- Distant code execution through CSRF safety bypass
- Decrypt secrets and techniques saved in Jenkins
- Delete any merchandise in Jenkins
- Obtain a Java heap dump
“Whereas information containing binary information could be learn, the affected function makes an attempt to learn them as strings utilizing the controller course of’s default character encoding,” Jenkins stated.
“That is more likely to end in some bytes not being learn efficiently and being changed with a placeholder worth. Which bytes can or can’t be learn depends upon this character encoding.”
Safety researcher Yaniv Nizry has been credited with discovering and reporting the flaw, which has been mounted in Jenkins 2.442, LTS 2.426.3 by disabling the command parser function.
As a short-term workaround till the patch could be utilized, it is really helpful to show off entry to the CLI.
The event comes practically a yr after Jenkins addressed a pair of extreme safety vulnerabilities dubbed CorePlague (CVE-2023-27898 and CVE-2023-27905) that might result in code execution on focused techniques.
